A mere-mortal's guide to security and privacy online – Part 2: Multi-factor authentication

February 16, 2019 by Florian Einfalt

In the first part of this mini-series I talked about how password managers can protect you from the most common random attacks. In this post, I’ll be looking at what you can do beyond password managers to further harden the security of your data: multi-factor authentication.

Let’s assume an attacker stole your username and complex, 40-character password that you use for an important online service. If this was the case, the attacker would have gained unfettered access to your personal and – depending on the type of service – potentially financial data. Sounds like an uncomfortable situation.

Many online services today offer another mechanism that goes beyond your username and password for authentication: multi-factor authentication (MFA). What is multi-factor authentication? When you enter a valid username/password combination on a system with MFA enabled you have only completed the first of two steps required to successfully log on, you have provided information that you know. The second step crucially involves something that you have: a device (e.g. a smartphone or token generator) or an application that is pre-registered with the service. Typically the service you are trying to log on to will require a time-limited series of characters or numbers called a token or TOTP (time-based one-time password) that is generated either by the service and sent via text message or dynamically generated by a pre-authenticated application on your phone or computer. You usually have 30-60 seconds to type the token into the login form and you will only be authenticated to use the service if both the username/password combination and the token are correct.

To be fair, this sounds quite complicated and inconvenient but there are tools making the process straight forward.

To get started, check if your service of choice even supports MFA. There’s a very handy website at twofactorauth.org that has a comprehensive list of services sorted by category. Next, get the app Authy. Authy is free, stores MFA token generators for all the services you would like to protect on your phone or tablet and is available for both iOS and Android. It also offers a convenient sync functionality which comes in handy in case you lose the device containing your MFA token generators. An alternative is Google Authenticator which is also free and available on all major platforms but to my knowledge does not sync between devices. Many password managers, such as 1Password will also store these token generators but the goal of today’s post is to separate the location of passwords and MFA tokens where ever possible, so opt for a dedicated MFA app.

Now, log on to your online service and activate MFA for your account. This differs from service to service and can be hidden in “Security” or “Advanced” menus but is usually described in a support document. Most services will offer MFA through SMS or software. Given the option, always opt for the software variant over SMS. The traditional SMS systems is easily compromised through SIM-swapping and is not encrypted. On the next screen, the service should display a QR code which you can scan with Authy or Google Authenticator and the account should be added to the app, generating a new token every 30-60 seconds. Typically, the service will ask for the current token to confirm MFA setup was successful. Also, the service might display one or more MFA backup codes so you are able to reset the account in case your phone has been destroyed – these should be saved in a secret place, possibly a password manager or a similar vault.

Going forward, every time you try to log on to the service you should be prompted for an MFA token and Authy will display a notification on your phone displaying the current TOTP. Some apps will also copy these to the clipboard so you don’t even need to type anything.

© 2018-2019 Florian Einfalt