You Need To Use 2FA Everywhere

You Need To Use 2FA Everywhere
Photo by FLY:D / Unsplash

Yes! Use 2 factor authentication (2FA) everywhere and everytime it is possible. Novadays it is pretty common and almost all servicess to allow you to use some kind of 2FA.

What is 2FA?

2FA gives you to your service identification (e.g. emal/username & password) another layer to verify your identity. After logging with your username and password site will ask you to enter one time passowrd or use hardware key (its based on type 2FA you using).

It is similar to process that you had using with your bank account some time ago. Everytime you opened new account your bank provided you GRID cards with table of 36 pregenerated pins. Each grid had different ones and when you tried to make some finnancial operations bank ask you to enter pin from field A7 for example.

Types of 2FA

Most common now is using phone number where application send you TOTP token and Google authenticator. Here is good to know that Google authenticator != TOTP.

TOTP is Time-based one-time password which is computer algorithm that genarates onetime password (OTP) that uses the current time as a source of uniqueness. (Wikipeda)[https://en.wikipedia.org/wiki/Time-based_one-time_password] and Google authenticator is application (one of a kind) that is used to store and generate OTP for you. It's like Email is protocol and Thunderbird is email client that using email protocol to deliver and recieve messages.

Another solution is use push notifications where application will ask you to confirm that you want to login to your account (e.g. Microsoft authenticator or DUO Security by Cisco).

And last one is use hardware keys. After login you have to put key to usb and touch button to proced to your account. Some keys have built in biometric reader which add another lkayer to protect your account (only owner can unlock key).

Passwordless accounts

The last two are commonly used with something that is called "passwordless" account (e.g. Microsoft account), which is as name tells you account without password. After activation you will need everytime confirm notification on your phone, and your account password will be removed (at least with Microsoft account). There are some cons for this approach - RDP not working with passwordless accounts, so you will need to create another local account for using with it.

Google also allows you to use some kind of passwordless authentication however they dont remove you passowrd so in some cases you can choose to authenticate with password.

You consider this as next (higher) level of security as there is no danger of misuse of the password, since there is none.

"But May, here you have only one method of authentication". Yes, but attacker will need to have physical access to your device or to you or he need to have awesome skill in social enginereing to convince you to send him your device.

To summary this:

  • TOTP via SMS or authenticator apps
  • Push notifications
  • Hardware keys
  • Passwordless accounts - this is not 2FA in the true sense as you not using your password anymore but you need everytime confirm notification or use hardware key.

Why to use it?

It will add another layr of protection to your account, and if your password is leaked, attacker will need to have access to another security object (e.g. mobile phone, hardware key), however many companies also checking locations from where you try to log in. So even if you don't have 2FA activated atacker may not be able to login to your account but this can be easily bypassed by using VPN, he just need to know from which one country you are.

When you have enabled 2FA it is much harder to compromise your account. Attacker will need access to you 2FA device (key, backup codes, mobile phone).

Good to know

  • TOTP seed is hash which is used to generate your One-time password Keep it safe and never share it! Consider it as your password or key from your house.
  • QR Code is just another representation of TOTP seed which mobile phones can red so you don't need to enter those codes manually.

Some recommendation at the end

  • Google Authenticator or Authy isn't only 2FA applications, consider using applications which allow you to export seed to your TOTP to prevent loss of your data. I'm using 1Password.
  • Use at least 2 methods (when it is possible): Most services require to use your phone number before they allow you setup another method.
  • Backup code/s can be used when you lost access to you 2FA item (key, phone), keep them safe simmilar as you password and don't give them to anybody.
  • Use Password managers - keeping you password in some document on you computer or what is even worse - in cloud is really not a good idea!

Stay safe! ✌️