Congratulations, If you’re following on from my previous post you have taken the first steps into improving your digital security. Unfortunately what you probably won’t want to hear is that strong passwords, whilst an excellent start are just not enough on there own. To ensure you’re account is even more secure it is strongly enouraged that you apply two-factor authentication to your accounts wherever this is availible.

Why should I do it

Imagine if you were at top of the list of people who have had their accounts compromised which account are they likely to start with. Two-factor authentication offers you a second line of defence and could potentially buy you some time to change your password before someone compromises your account. If you enable two-factor authentication you are protecting your account with something you know (your password) and something you have (your device containing your two-factor authentication codes).

What are my options

There are many ways to implement two-factor authentication and below I’ve listed a selection of the most common and convenient ways of implementing this. Whilst some of these methods are better than others it is always worth keeping in mind that any two-factor authentication is better than no two-factor authentication at all.

SMS One Time Passwords are quite a common way of implementing two-factor authentication. I would discourage against this unless there is no other option. If someone was able trick your mobile phone operator to issue a Port Authorisation Code, they could move your mobile number to a phone which they possess and would be able to receive your One Time Passwords. You may be thinking whats the probability of this happening, unfortunately it is common enough to have earned the term Simjacking.

There is a good chance that your password manager has the capabilities of handling your two-factor authentication. KeepassXC & 1Password are just an example of a couple of password managers that have that capability. Whilst a very convenient way of using two-factor authentication, if someone unfortunately gains access to your password manager they will have everything they need to access your accounts.

Then there is the Mobile Phone App solution. You may have seen in the security settings of the service that you use “protect your account with Google Authenticator”. Google Authenticator uses 2 standards called Time-based One Time Passwords and HMAC-based One Time Passwords to generate new codes every 30 seconds to grant you access to an account. Once setup and you’ve entered your username and password on a service that you use, you will then be taken to a page where you are asked to enter this code from your device. As you can imagine with this changing every 30 seconds it makes a breach of your account very difficult.

Which app should you choose? As we just stated above Google Authenticator is completely capable of handling your two-factor authentication but there are plenty more applications that can and that are open source, something which Google Authenticator has not been since version 2.21. I was a previous user of Google Authenticator so should you wish to use it then its better than nothing however I personally believe there are better apps that offer a greater feature set.

I’ve tried a few apps for Android such as FreeOTP+, Aegis Authenticator but the one I did settled on was andOTP. It’s a free and Open Source app that has all the capabilites of Google Authenticator and the extras like backup your one time passcodes and password protect your one time password. I have noticed that andOTP is now unmaintained so you may want to consider one of the other two apps as no doubt I will migrate to one of them soon.

Don’t lock yourself out

You may want to take some precautionary measures to ensure you don’t accidently lock yourself out of your own accounts. As you can imagine storing these passcodes on a device like your mobile phone is excellent until you lose or break your mobile phone. You could create a new vault in KeepassXC and scan the QR Code (or enter the secret key) in that vault. That way if you lose access to your device you still have the same codes availible to you. Whilst convenient some may advise against this as you have muliple copies of these one time codes now. If you feel that is to much of a security risk then you’ll be glad to know there is an alternative and they are called backup codes.

I can not stress how important backup codes are. If a service offers you backup codes then be sure to take note of them. By taking note of the backup codes these single use passcodes will allow you to regain access to your account allowing you to setup your One Time Passcodes on a new device. The recommended storage method for these codes are on paper and store them in a fire proof safe. I can imagine some people do not have a safe in their house so the next best thing would be to store them in an encrypted method like in a Keepass Vault and store that Password Vault offline.

How do I do it

I take the same approach for setting up two-factor authentication as I do with my passwords. I protect the most important services I use or the ones that will cause you the most problems if I were breached. You can see if the website/services you use support two-factor authentication by visiting the website 2fa.directory. You then visit the service you want to set up two-factor authentication on. Scan the QR Code or enter the Secret Key into your app and then enter the passcode to verify the code is working.

Congratulations you have just taken the next step in protecting yourself with two-factor authentication.

TL;DR (Too Long Didn’t Read)

• Use two-factor authentication wherever possible
• Some two-factor authentication is better than no two-factor authentication
• Google Authenticator is not your only choice of app
• Make sure you take note of your backup codes