Categories
Computer Security

Computer Security: Multi-factor Authentication

This is the third post in a multi-part series on computer security essentials. I am not a computer security expert but there’s some basic computer security essentials that a surprising number of people don’t understand. The aim of this series is to raise awareness of these. I will be covering password vaults, two factor authentication, devices and local encryption.

Multi-factor authentication is a method of accessing your accounts whereby you need multiple factors of authentication: typically a combination of something you know (such as a password), something you hold (such as a device or card) and/or something about you (such as fingerprints or iris etc.).

Two-factor authentication (commonly called 2FA) is the most common form of multi-factor authentication and is supported on a large number of online services.

Some time ago two-factor authentication for online services typically used a physical fob/token to generate a one-time password but there were many downsides including expense, delayed access and portability.

http://www.tech.proact.co.uk/emc/i/rsaHardware.png

These days two-factor authentication usually consists of a free app running on a smartphone which generates a one-time password above which you enter in addition to your regular password to log onto a site or service.

I originally used Google Authenticator for these but I have since moved to Authy on iOS because, as of a few months ago at least, Google Authenticator provides no convenient mechanism to move codes across devices (besides disabling and reenabling 2FA for every site you use).

Some sites also allow you to use SMS for two-factor authentication, but this may be less convenient if for example you’re travelling in a different country using a different SIM card and don’t have easy access to your SMS that you specified for your account.

Some password managers also allow you to generate one-time passwords like LastPass and 1Password. I prefer to keep my one-time passwords separate from my regular passwords.

Sites that use multi factor authentication allow you to generate and print backup codes in case you can’t access your device. You can print and store these securely, but you should never store these in your password vault as this defeats the purpose of having multi-factor authentication since these codes bypass your multi factor authentication.

You should enable multi-factor for any site that you use that supports it. WordPress.com, Google, Github and Slack all support two-factor authentication. You can look up to see which online services support it on this handy website.

4 replies on “Computer Security: Multi-factor Authentication”

you should never store these in your password vault as this defeats the purpose of having multi-factor authentication since these codes bypass your multi factor authentication.

Not exactly the same, but I have recently come around to the idea of using 1Password as both my password manager AND my 2FA application. I just switched over from LastPass to 1Password, and one of the big reasons for my switch is the convenience of managing all of that in one place. 1P will fill in the username/password fields on a webpage for me, and then automatically copy the code to my clipboard so I can paste it in on the next screen. Magic!

True, it’s not really Multi Factor anymore because the one-time codes are stored in the same place as the account password…but this article (https://blog.1password.com/totp-for-1password-users/) describes why that’s not as big of a problem as it sounds, and in fact he argues that any time you use a MFA app on the same device where you log in with your password then it’s not really “multi-factor” at all anyway.

The gist of the article is that the main security benefit of Temporary One Time Passwords (TOTP) is that a bad actor intercepting your network traffic may be able to steal your password, but they’ll never be able to steal the code that generates the TOTPs because all that’s sent over the wire is a simple number, not the secret itself. So from that perspective, storing/generating the TOTPs in the same app as your password isn’t an issue.

It’s all about risk vs reward, though. For me, for most of my accounts, the reward of convenience is worth the risk. For others that might not be true 🤷.

Thanks Scott! I use 1Password and I was going to try their MFA support for a couple of accounts to see how it goes. I currently use Authy on my phone separate to my laptop so I have to manually type the code – secure but not convenient

Leave a Reply

Your email address will not be published. Required fields are marked *