🔒 Cybersecurity for lawyers

User Tools

Site Tools

Trace:
two-factor_authentication

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
two-factor_authentication [2019/08/21 06:32] – neiltwo-factor_authentication [2019/08/21 06:45] – neil
Line 3: Line 3:
 ====Key points ==== ====Key points ====
   * [[two-factor_authentication#"Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know|"Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know]]   * [[two-factor_authentication#"Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know|"Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know]]
 +  * [[two-factor_authentication#Enable two-factor authentication wherever you can|Enable two-factor authentication wherever you can]]
 +  * [[two-factor_authentication#Have a back-up mechanism in case you lose your device(s)|Have a back-up mechanism in case you lose your device(s)]]
  
 ===="Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know==== ===="Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know====
Line 16: Line 18:
 This page focusses on "things that you possess". This page focusses on "things that you possess".
  
-====Something you have: one-time codes ====+====Enable two-factor authentication wherever you can ====
  
-Some sites will let you configure your account to require you to put in a one-time+Because of the security benefits of having two-factor authentication in place, you should enable it wherever you can. This normally means "on every site and service which supports it". 
 + 
 +Check first that you can use whatever two-factor approach you are using on whatever devices you tend to use. If you primarily use your phone, and the service requires a hardware device which is incompatible with your phone, you'll be causing yourself a lot of inconvenience, which may overreach the security benefit. 
 + 
 +====Have a back-up mechanism in case you lose your device(s)==== 
 + 
 +A risk of enabling two-factor authentication is that, if you lose control of the second factor, you will be unable to access the service in question. 
 + 
 +===Backup one-time codes === 
 + 
 +If you are using one-time codes, you are usually prompted to download and save some backup codes, which you can use if you lose your one-time code generator. 
 + 
 +If you use a password manager, and if you back this up, you might store your backup codes in that. 
 + 
 +Alternatively, or perhaps additionally, you might print them off, and store them in a safe. 
 + 
 +===Backup hardware devices === 
 + 
 +If you are using a hardware device, good practice is to buy two identical devices, and configure them to mirror each other.  
 + 
 +Keep one with youto use for logging in, and keep the second in a safe. 
 + 
 +====Something you have: one-time codes ====
  
-Backup codes.+Some sites will let you configure your account to require you to put in a one-time code, in addition to your username and password.
  
-Two hardware devicesso you can store backup safely in safe.+These one-time codes are usually generated by a piece of software on your computer or phoneor else through dedicated hardware device.
  
-Enable two-factor authentication wherever you can, but make sure you have a back-up mechanism in case you lose your device(s).+===Time-based One-Time Passwords (TOTP)===
  
 +===Avoid text message for delivery of codes ===
  
-Option of 2FA — so if you do make a mistake and give away your username and passwordstill hard for someone to make use of them, as they require an extra piece of data which (hopefully) on your can generate+Some services offer the real-time delivery of one-time codes using text message. If possibleavoid this, in favour of an approach which doesn't use text messages.
  
-Downside of 2FA is thatif you lose your deviceyou may well be locked out of your accounts+Firsttext messages are not secureand a sufficiently motivated attacker is likely to be able to access your messages.
  
-If the second code is delivered over SMSyou can probably get a new SIM, get your provider to move your number across to the new SIM, and you are up and running+Secondif someone manages to hijack your phone number (sometimes known as "SIM swapping")they get all your messages and calls. Irritating at the best of times, but even more problematic if you rely on text messaging to log in to your services — the double whammy of you not being able to log in until you get it fixed, and someone else getting your codes.
  
-If you use an app — which means you are not reliant on getting an SMS — you may struggle more. I don’t have a great solution for this at the moment. 
  
 ====Hardware security tokens ==== ====Hardware security tokens ====
 {{::img_0417.jpg?400|}} {{::img_0417.jpg?400|}}
 Yubikeys Yubikeys
two-factor_authentication.txt · Last modified: 2022/09/08 09:09 by neil