User Tools

Site Tools


Two-factor authentication

Key points

"Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know

When you log in to a site or service using a username and password combination, you are logging in with what is known as a “single factor”, since both of these things – your username, and your password — are both “things that you know”.

To increase your security, you need to add additional “factors” to your login credentials. This means that, if someone compromises your username and password (highly likely if you are not using a unique username, and unique password, for every site and service, or else if you log in over an insecure connection), they should still not be able to access your account, since they do not have control over that extra “factor”.

You choices are “things that you are” and “things that you possess”.

“Things that you are” basically means using a biometric factor, such as a fingerprint or facial recognition scan.

This page focusses on “things that you possess”.

Enable two-factor authentication wherever you can

Because of the security benefits of having two-factor authentication in place, you should enable it wherever you can. This normally means “on every site and service which supports it”.

Check first that you can use whatever two-factor approach you are using on whatever devices you tend to use. If you primarily use your phone, and the service requires a hardware device which is incompatible with your phone, you'll be causing yourself a lot of inconvenience, which may overreach the security benefit.

Some password managers will suggest logins for which two-factor authentication is available. There's also a good list here.

Have a back-up mechanism in case you lose your device(s)

A risk of enabling two-factor authentication is that, if you lose control of the second factor, you will be unable to access the service in question.

Backup one-time codes

If you are using one-time codes, you are usually prompted to download and save some backup codes, which you can use if you lose your one-time code generator.

If you use a password manager, and if you back this up, you might store your backup codes in that.

Alternatively, or perhaps additionally, you might print them off, and store them in a safe.

Backup hardware devices

If you are using a hardware device, good practice is to buy two identical devices, and configure them to mirror each other.

Keep one with you, to use for logging in, and keep the second in a safe.

Something you have: one-time codes

Some sites will let you configure your account to require you to put in a one-time code, in addition to your username and password.

These one-time codes are usually generated by a piece of software on your computer or phone, or else through a dedicated hardware device.

Time-based One-Time Passwords (TOTP) are common and easy to use

Lots of sites support one-time codes, which changes after a few seconds. This is known as “TOTP” or “time-based one-time passwords”.

Once set up, you need to log in using your username and password, and then put in the current code before it expires. This means that you always need to have the mechanism to generate the code to hand, when you want to log in.

These work by generating a special code, which you store on a device, and which the service stores. So, to use TOTP, you need a means of storing this special code. (You may not even see the special code; you may just need to scan a QR code, which automates the storage, so that you see only the effect of it, which is the generation of six-digit one-time passwords, which change routinely).

You might be able to use password manager to store your codes, along with your site login, if you are comfortable storing everything in one place.

Alternatively, you can use a dedicated app, such as “Google Authenticator”.

You might also use a hardware device.

Avoid text message for delivery of codes

Some services offer the real-time delivery of one-time codes using text message. If possible, avoid this, in favour of an approach which doesn't use text messages.

First, text messages are not secure, and a sufficiently motivated attacker is likely to be able to access your messages.

Second, if someone manages to hijack your phone number (sometimes known as “SIM swapping”), steal your phone, or simply remove your SIM card, they get all your messages and calls. Irritating at the best of times, but even more problematic if you rely on text messaging to log in to your services — the double whammy of you not being able to log in until you get it fixed, and someone else getting your codes.

You can mitigate some of the risk by:

  • changing the settings of your phone, so that message content is not available from the lock screen
  • setting a SIM PIN, different to your device PIN, so that if someone takes your SIM and tries to put it in a different device, they cannot use it until they enter a PIN.

Third, if you are out of signal, you cannot get your code — no good for places with Internet connectivity, but no or poor cellular service.

Hardware security tokens


two-factor_authentication.txt · Last modified: 2022/09/08 09:09 by neil