two-factor_authentication
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
two-factor_authentication [2019/08/04 15:57] – created neil | two-factor_authentication [2019/08/21 06:55] – neil | ||
---|---|---|---|
Line 1: | Line 1: | ||
=====Two-factor authentication===== | =====Two-factor authentication===== | ||
- | ====What is " | ||
- | Option of 2FA — so if you do make a mistake and give away your username and password, still hard for someone to make use of them, as they require an extra piece of data which (hopefully) on your can generate. | ||
- | Downside of 2FA is that, if you lose your device, you may well be locked out of your accounts. | + | ====Key points ====Â |
+ | * [[two-factor_authentication#" | ||
+ | * [[two-factor_authentication# | ||
+ | * [[two-factor_authentication# | ||
+ | * [[two-factor_authentication# | ||
- | If the second code is delivered over SMS, you can probably get a new SIM, get your provider | + | ====" |
+ | Â | ||
+ | When you log in to a site or service using a username and password combination, | ||
+ | Â | ||
+ | To increase your security, you need to add additional " | ||
+ | Â | ||
+ | You choices are " | ||
+ | Â | ||
+ | " | ||
+ | Â | ||
+ | This page focusses on " | ||
+ | Â | ||
+ | ====Enable two-factor authentication wherever you can ====Â | ||
+ | Â | ||
+ | Because of the security benefits of having two-factor authentication in place, you should enable it wherever you can. This normally means "on every site and service which supports it". | ||
+ | Â | ||
+ | Check first that you can use whatever two-factor approach you are using on whatever devices you tend to use. If you primarily use your phone, and the service requires a hardware device which is incompatible with your phone, you'll be causing yourself a lot of inconvenience, | ||
+ | Â | ||
+ | ====Have a back-up mechanism in case you lose your device(s)====Â | ||
+ | Â | ||
+ | A risk of enabling two-factor authentication is that, if you lose control of the second | ||
+ | Â | ||
+ | ===Backup one-time codes ===Â | ||
+ | Â | ||
+ | If you are using one-time codes, you are usually prompted to download and save some backup codes, which you can use if you lose your one-time | ||
+ | Â | ||
+ | If you use a password manager, and if you back this up, you might store your backup codes in that. | ||
+ | Â | ||
+ | Alternatively, | ||
+ | Â | ||
+ | ===Backup hardware devices ===Â | ||
+ | Â | ||
+ | If you are using a hardware device, good practice | ||
+ | Â | ||
+ | Keep one with you, to use for logging in, and keep the second in a safe. | ||
+ | Â | ||
+ | ====Something you have: one-time codes ====Â | ||
+ | Â | ||
+ | Some sites will let you configure your account to require you to put in a one-time code, in addition to your username and password. | ||
+ | Â | ||
+ | These one-time codes are usually generated by a piece of software on your computer or phone, or else through a dedicated hardware device. | ||
+ | Â | ||
+ | ===Time-based One-Time Passwords (TOTP) are common and easy to use===Â | ||
+ | Â | ||
+ | Lots of sites support one-time codes, which changes after a few seconds. This is known as " | ||
+ | Â | ||
+ | Once set up, you need to log in using your username and password, and then put in the current code before it expires. This means that you always need to have the mechanism to generate the code to hand, when you want to log in. | ||
+ | Â | ||
+ | These work by generating a special code, which you store on a device, and which the service stores. So, to use TOTP, you need a means of storing this special code. (You may not even see the special code; you may just need to scan a QR code, which automates the storage, so that you see only the effect of it, which is the generation of six-digit one-time passwords, which change routinely). | ||
+ | Â | ||
+ | You might be able to use [[passwords# | ||
+ | Â | ||
+ | Alternatively, you can use a dedicated app, such as " | ||
+ | Â | ||
+ | You might also use a hardware device. | ||
+ | Â | ||
+ | ===Avoid text message for delivery of codes ===Â | ||
+ | Â | ||
+ | Some services offer the real-time delivery of one-time codes using text message. If possible, avoid this, in favour of an approach which doesn' | ||
+ | Â | ||
+ | First, text messages are not secure, and a sufficiently motivated attacker is likely to be able to access | ||
+ | Â | ||
+ | Second, if someone manages | ||
+ | Â | ||
+ | Third, if you are out of signal, you cannot get your code — no good for places with Internet connectivity, | ||
- | If you use an app — which means you are not reliant on getting an SMS — you may struggle more. I don’t have a great solution for this at the moment. | ||
====Hardware security tokens ==== | ====Hardware security tokens ==== | ||
+ | {{:: | ||
Yubikeys | Yubikeys |
two-factor_authentication.txt · Last modified: 2022/09/08 09:09 by neil