Yes! Use 2 factor authentication (2FA) everywhere and everytime it is possible. Novadays it is pretty common and almost all servicess to allow you to use some kind of 2FA.
What is 2FA?
2FA gives you to your service identification (e.g. emal/username & password) another layer to verify your identity. After logging with your username and password site will ask you to enter one time passowrd or use hardware key (its based on type 2FA you using).
It is similar to process that you had using with your bank account some time ago. Everytime you opened new account your bank provided you GRID cards with table of 36 pregenerated pins. Each grid had different ones and when you tried to make some finnancial operations bank ask you to enter pin from field A7 for example.
Types of 2FA
Most common now is using phone number where application send you TOTP token and Google authenticator. Here is good to know that Google authenticator != TOTP.
TOTP is Time-based one-time password which is computer algorithm that genarates onetime password (OTP) that uses the current time as a source of uniqueness. (Wikipeda)[https://en.wikipedia.org/wiki/Time-based_one-time_password] and Google authenticator is application (one of a kind) that is used to store and generate OTP for you. It’s like Email is protocol and Thunderbird is email client that using email protocol to deliver and recieve messages.
Another solution is use push notifications where application will ask you to confirm that you want to login to your account (e.g. Microsoft authenticator or DUO Security by Cisco).
And last one is use hardware keys. After login you have to put key to usb and touch button to proced to your account. Some keys have built in biometric reader which add another lkayer to protect your account (only owner can unlock key).
The last two are commonly used with something that is called “passwordless” account (e.g. Microsoft account), which is as name tells you account without password. After activation you will need everytime confirm notification on your phone, and your account password will be removed (at least with Microsoft account). There are some cons for this approach - RDP not working with passwordless accounts, so you will need to create another local account for using with it.
Google also allows you to use some kind of passwordless authentication however they dont remove you passowrd so in some cases you can choose to authenticate with password.
To summary this:
- TOTP via SMS or authenticator apps
- Push notifications
- Hardware keys
- Passwordless accounts
Why to use it?
It will add another layr of protection to your account, and if your password is leaked, attacker will need to have access to another security object (e.g. mobile phone, hardware key), however many companies also checking locations from where you try to log in. So even if you don’t have 2FA activated atacker may not be able to login to your account but this can be easily bypassed by using VPN, he just need to know from which one country you are.
When you have enabled 2FA it is much harder to compromise your account, so you should use 2FA everytime it is possible.
Good to know
- TOTP seed is hash which is used to generate your One-time password Keep it safe and never hare it!
- QR Code is just another representation of TOTP seed which mobile phones can red so you dont need to enter those codes manually.
Some recommendation at the end
- Google Authenticator or Authy isn’t only 2FA applications, use applications which allow you to export seed to your TOTP (those I mentioned not allow you to do that) to prevent loss of your data.
- Use at least 2 methods (when it is possible): Some servicess allow you setup more methods, so when you foget you HW key you can still use push notifications on your phone. If it is not possible you at lest get backup codes or you will be able to register backup phone.
- With registering TOTP authenticator you (mostly) get backup codes in case you lose your Authenticator config. Store them ins safe place.
- Consider TOTP seed (and packup codes) as password, store it in safe place and DO not share it. NEVER!
- Use Password managers
Stay safe! ✌️
2022-04-25 07:39 +0000 (Last updated: 2022-05-15 14:35 +0000)
67a1173 @ 2022-05-15