A password is often the only thing standing between hackers and your data. Giant corporations like Dropbox or Google have the means to keep your data secure, but their security measures fall short if a user chooses a weak password or falls for a phishing scam.
We’ve covered how to set up a strong password (as well as what happens when you have a bad password) and today we’ll discuss one more step you can take to ensure the security of your online accounts: enabling two-factor authentication, or 2FA.
Two-Factor Authentication Explained
Two-factor authentication gets its name from requiring two things for a user to authenticate: something you know, and something you own. Your password is something you know, and something you own is a device that only you have access to, such as your phone or a security token.
A security token is a device like the Yubikey or the devices distributed by some banks for online banking.
If you’re using a smartphone, you’ll need an app like Authy or Google Authenticator. These apps are easy to set up and easy to use, typically requiring a user to scan a barcode from within the app using their phone’s camera.
How Two-Factor Authentication Works
The basic idea behind two-factor is that if an attacker manages to get your password, your account is still safe thanks to requiring a second factor to authenticate. Without your phone or security key nobody is able to login. There are several protocols that can be used for two-factor authentication, such as U2F, TOTP and HOTP.
We’ll briefly explore these protocols, as the underlying cryptography is a bit technical.
U2F was developed by Google and Yubico to make public-key cryptography easier to use for consumers and to make it easier for users to securely identify themselves.
The U2F Yubikey has a device-specific key stored in the hardware. The key is created during the manufacturing process and can not be modified or extracted from the device. The U2F version of the Yubikey cannot be reset or modified, unlike other versions of the Yubikey as they support different protocols.
Google and Yubikey designed U2F with privacy and security in mind, allowing users to use one key with multiple accounts without any identification or tracking. It’s a complicated process, but essentially each new account creates a new “handle” that, in combination with the secret embedded in your key, allows your key to authenticate you without personally identifiable information.
The process looks complex, I know, but don’t worry. They’re cheap and easy to use, as well as supported across many services and platforms. For users wanting to add security to their Google, Facebook or Dropbox account, you can’t go wrong with a U2F key.
HOTP stands for HMAC-based One Time Password — yeah, it’s a mouthful. HMAC is a cryptographic term meaning “hash-based message authentication code.” In short, HOTP uses a “counter” along with a secret key known only to the validation service and the hardware device. The counter is created using the HMAC-SHA1 algorithm.
HOTP is event-based, meaning when you use a token with HOTP to authenticate the counter increases, resulting in a new one-time password (OTP). HOTP-generated passwords remain valid until you attempt to login again, which causes the counter to be increased and a new OTP generated.
While still a secure method of authentication, TOTP is often preferred since the OTP changes far more often.
Time-based One Time Passwords, or TOTP, functions similar to HOTP in that it relies on a moving factor to generate new passwords. The moving factor, in this case, is time. Authy and Google Authenticator are two of the apps commonly used for two-factor authentication on mobile devices and they both rely on TOTP to function. As with HOTP, the server and token (or app) are kept in sync using the counter and secret key.
The benefit over HOTP is that even if an attacker were to somehow get ahold of a password, it’s short-lived. The time-based nature of TOTP makes it an inherently more secure method of authentication.
Getting Locked Out
A big question comes to mind when you use a 2FA solution: what happens if I lose it? Yubikey recommends using two security keys when you setup two-factor authentication for your Google account. You can use one key whenever you login and keep the other key somewhere safe, such as a bank deposit box, in case you lose your primary key.
Most services that support two-factor authentication also provide the option to generate “backup verification codes” in case you lose your key or phone. These codes are a random series of numbers or letters and do not expire — you should write these down or print them out for safekeeping. Do not store your backup codes on your computer, in case your device gets compromised or stolen.
If you lose your security key or mobile phone, you won’t be permanently locked out of your accounts. Keep a copy of your backup codes generated or keep an extra security token stashed somewhere safe in the event you lose your primary method of authentication.
When you use two-factor to login, some websites or services will ask you if you want to “trust” this device, either permanently or for a certain period of time. It’s convenient, certainly, but it’s also a security risk.
If you don’t encrypt your hard drive and your device is stolen, an attacker can login on your device and render two-factor authentication useless. This might be a small risk, of course, but you have to decide for yourself if it’s worth it. In the event you do lose a device you previously decided to trust, most services allow you to remove a compromised device from your account.
What You Should Use for 2FA
Virtually everyone has a smartphone and both Authy and Google Authenticator are free, making it the cheapest option available to almost all users. Some security experts, like Bruche Schneier, are critical of two-factor authentication in general, especially SMS authentication.
SMS text messages aren’t technically two-factor authentication. Experts call this two-channel authentication, or out-of-band authentication, since the process of sending and receiving a text occurs on a different communication channel than the password process.
Someone could in theory use a Stingray or similar device to catch SMS messages, but they would have to actively be watching you since verification codes are generated upon each new sign-in.
An app like Authy or Google Authenticator is far more secure than SMS verification and should be used instead of SMS wherever possible. The TOTP method ensures a constant updating of passwords, making you a moving target. As long as your cell phone remains secure and isn’t compromised, app-based two-factor verification is a good method for most users.
Personally, I recommend a Yubikey if you don’t mind spending a little money. The U2F Yubikey is good for most users since it supports the popular platforms and services on the web — you can even use it to login to Linux.
A Yubikey is, by design, difficult if not outright impossible to compromise. It’s a secure, enclosed device that is waterproof and crushproof and allows you to authenticate in seconds. Google published a report on their internal usage of the Yubikey, stating it reduced the time to authenticate by two-thirds, compared to using SMS or an app.
The verdict: a security token like the Yubikey is the quickest and most secure method to use two-factor authentication.
Two-factor isn’t flawless, but it’s a big improvement over password-based authentication alone. Security is a complex area and difficult to master, but the goal is to make an attacker’s job as difficult as possible. Enabling two-factor authentication wherever possible will enhance the security of your accounts and your data.
Whether you use an app or a security token for two-factor, it’s easy to use once you set it up. Generate recovery codes where possible to keep from getting locked out of your accounts in case you lose your phone or token, and keep these codes stored safely offline. Use a hardware token like a Yubikey for the ultimate in security and convenience.
Thank you for reading, feel free to comment below or share this article across social media.