I’ve been stressing two-factor authentication (2FA), or two-step verification, in my early columns here at Private I, because I believe most people avoid using this extra protection for their accounts due to the fuss and management, and may think it will lock them out of access or require an extra step when it’s unnecessary.
But 2FA isn’t an obstacle course with bottomless pits. It’s more like a flu vaccination. If you’re not feeling ill and aren’t worried about getting sick, you might skip the innoculation. That does you a fat lot of good when you’re laid up for two weeks with aches and fevers with one of the strains covered by the current shot—and you’ve infected all your coworkers.
Likewise, as with backups, the precaution doesn’t feel good at all—it’s only when you could have had your account cracked, and didn’t, that you feel the sweet relief. When you begin to receive a series of password-reset messages secure in the knowledge that without that second factor, someone can’t get into your account? When you hear about a rash of password cracks and you’re not affected? It’s a balm.
Modern 2FA systems aimed at consumers and small businesses, and many for enterprises, avoid the use of keyfobs and other hardware keys—having to carry around those doodads is certainly a reason people avoided 2FA in the past. Among other things, you typically needed one per website or company! I still have eBay/PayPal and stock-trading doohickeys, and while I haven’t lost them, it’s a thing I have to keep track of and keep secure. Instead, most services either require or offer as an option the use of an authentication app that creates a limited-use code.
Apps trump SMS
Google offered one of the first widely used such apps, Google Authenticator, to allow average people to make use of 2FA without relying on SMS transmission. SMS is not considered highly secure: there are a number of ways for people or institutions to intercept SMS, whether over the air or through centralized systems. (I wrote last week about how SMS forwarding in Yosemite with Continuity will send second-factor SMS codes to any Mac or iOS device logged into the same iCloud account and with that feature enabled. In limited cases, it elevates risks, and you can easily mitigate them.)
Those risks are minimal or nonexistent for most (not all) of us, but SMS has a lot of limits and quirks. I’ve sometimes seen messages show up 30 minutes after a service apparently sent them, or never. If you travel outside of your home cellular service country or region, you might pay a small fortune for each text, or be unable to receive SMS at all. You might be somewhere rural with Internet service and no cell coverage, which has happened to me a surprising number of times on vacations. Authentication apps are a good alternative for all these reasons.
Every site seems to have a different procedure to set up 2FA with an authentication app, and many sites offer a choice between an app-based code or SMS. Some allow both. Twitter is the one oddball, offering either the use of SMS or its in-house-developed Twitter app, but not third-party apps. (Apple’s two-step verification requires an SMS-capable phone number plus trusted devices, and handles the authentication using its own proprietary means whether in iCloud, in iOS, or in Mac OS X.)
Google Authenticator, Authy, and DuoSec Security all support Google’s standard token protocol, which lets you accept a seed key from a site you’re securing with two-step verification, and then the apps derive a six-digit code using the key and either the current time or an incrementable counter. In my experience, I’ve only seen the time-based codes, which turn over every 30 seconds. Counter counts may be used once; time-based codes are only valid in a narrow window. (Google Authenticator is free; software from the others is free for basic or personal use, and they make their money from small-business and enterprise users.)
Many, many sites support Google’s protocol and thus any compatible auth app. Well-known companies include Amazon Web Services, Dropbox, Facebook, Hover, LastPass, Linode, and Tumblr, just to name a few.
To seed the code, sites typically generate a QR Code—a 2D tag that encodes information, and which has been the butt of many jokes. (They’re big in Japan!) But it’s an efficient way to get a bunch of random characters or numbers off a screen and into a phone. Some sites will also provide the code written out as in ASCII letters and numbers. (The key represented is 80 bits long.) The apps rely on the security of your devices, and don’t have secondary security mechanisms enabled by default. Only Authy allows a passcode or Touch ID to secure the app, but you have to turn that on.
You login with your password, are prompted for the second factor, launch the app, and enter the corresponding code. Many sites, once you’ve set up an auth app and used it to validate your login, allow you to mark browsers or devices as trusted, either forever or for a period of time, usually 30 days. Most sites with 2FA of any kind let you revoke or logout all trusted devices or browsers with a click from the site’s security settings, in case you worry you’ve been compromised or someone has gained access to a computer or mobile you thought was under your control. (This is true whether or not you’re using an auth app.)
The key problem with these auth apps? Losing the keys that lets you generate the codes! I found this out the hard way after first using Google Authenticator and having to restore my phone. Even though I had a full backup, Authenticator does not save keys in a way that can be restored, even with a full iTunes password-protected iOS backup. You have to re-enter your keys.
Authy prevents this problem by syncing data among devices registered to the same account and backs up the keys and other settings in the cloud. This is convenient, and imposes remarkably little additional risk, even should their security measures somehow be overcome. Because you are syncing only a single factor—another advantage of 2FA. (Someone could conceivably recover your Authy password, but then they’d need one of your trusted devices, too, which you could protect with a separate PIN or fingerprint. The odds of that wind up being pretty slim.)
Regardless of Authy, you need to make sure you have a separate backup plan. Depending on the service you use, you’ll be offered a recovery code, one-time login codes, or a way to store the initial key. Make sure and encrypt those so that someone gaining access to one password or your computer wouldn’t be able to access your 2FA recovery details, too! I use Yojimbo and 1Password, both of which have strong encryption options, and I have picked unique, strong passwords.
If you’ve been delaying turning on 2FA because of the fuss, I hope that these authentication apps will give you the confidence to add another factor. It feels like swallowing your medicine, but it’s surest way to increase your personal security immunity—not perfectly, but a solid bump up—and keep your accounts to yourself.