I need more than a password?
May 17, 2023
You’ve likely been faced with a prompt from your bank or financial institution or some other site to enable “two factor authentication.” What is it? Do you want it? That’s what we’ll cover this week.
Two factor authentication (also known as 2FA) is simply a way to prove you are who you claim to be by presenting two different forms of identification which typically only you will know or have access to. The first factor is usually a password. The second can be any of a number of things: a code that’s sent to you by text message, a fingerprint or a face print, or a code that’s generated by a 2FA app (we’ll get into that a bit later).
Why would you want this? Well, doubtless you’ve heard about companies and services getting “hacked” and having their client’s information stolen. This often includes user information like user name and password. If you have enabled 2FA then the bad guy will need more than just your password to gain access to your account – they’ll need access to that second factor. Some sites will ask you to provide an answer to a question that you’ve set up with them. Yes, this is a second factor but is this a good second factor? Generally, no. The site has your answer somewhere in its data store and the hacker could have easily gotten that information, too, or have gotten it from another source. So it’s much better to use a second factor that relies on something only you have, like a fingerprint or a code from a text message or a code generator.
Do I use 2FA? Absolutely! On every site that gives me the option and I will use whatever they offer – if they only offer the question and answer model (for instance, what’s your mother’s maiden name), I’ll take it. But, like I said earlier, that’s not really terribly secure. If they offer text message or email confirmation, I’ll use that. But those aren’t terribly secure, either as your email could be hacked or your phone number could be cloned. While not likely, those hacks are still a possibility. What second factor do I prefer? I prefer to use a code generator.
Code generators take a “seed” and use it as input to a mathematical algorithm to generate a code that is a one-time use code. The most common is a “Time-based One Time Password” or TOTP. That seed and the current time is used to generate a code that changes periodically, generally every 30 seconds or so. When you sign up for a TOTP 2FA you’ll usually be presented a QR code and a string of characters. If your code generator app has access to the camera you can scan the QR code; if not you can copy the characters into your code generator app. Once you have input that, the site will present you with the TOTP, generally a 6 digit code, and your code generator will present a code. They should match and if they do, you’re set. If they don’t, you’ll need to start over – the site will ask you to confirm the code and if you don’t confirm it, you will start over.
There are a number of TOTP code generator apps available. See https://www.nytimes.com/wirecutter/reviews/best-two-factor-authentication-app/ for The Wirecutter’s favorites. Personally, I use Authy (https://authy.com/, for downloads go to https://authy.com/download/). I like that I can use it on multiple devices as it allows me to synch my accounts across all of them. Note that Google Authenticator has recently provided a similar option but security researchers have reported that the synchronization process does not use an encrypted connection so I would stay away from it. Also, I would recommend that you write down the seed for each site so that you can easily retrieve it to set up a different generator app. Lastly, Bitwarden (my favorite password manager) can generate TOTPs! When you create a new site, or when you edit one, you may enter the seed for the generator and Bitwarden will generate your TOTP for you. Not only that but if you use it to fill in userid and password for a site, it will put the current TOTP for that site on your clipboard, making it that much easier and quicker to login.
That’s all for this week’s column. I hope this helps you understand two factor authentication and that you will use it whenever possible.
As always, my intent with these columns is to spark your curiosity, give you enough information to get started, and arm you with the necessary keywords (or buzzwords) so you’ll understand the basics and are equipped to search for more detailed information.
Please feel free to email me with questions, comments, suggestions, requests for future columns, to sign up for my newsletter, or whatever at [email protected] or just drop me a quick note and say HI! And don’t forget that I maintain links to the original columns with live, clickable links to all the references at https://go.ttot.link/TGColumns+Links or https://go.ttot.link/TGC+L – it should be updated shortly after this column appears online.