User Tools

Site Tools


two-factor_authentication

This is an old revision of the document!


Two-factor authentication

Key points

"Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know

When you log in to a site or service using a username and password combination, you are logging in with what is known as a “single factor”, since both of these things – your username, and your password — are both “things that you know”.

To increase your security, you need to add additional “factors” to your login credentials. This means that, if someone compromises your username and password (highly likely if you are not using a unique username, and unique password, for every site and service, or else if you log in over an insecure connection), they should still not be able to access your account, since they do not have control over that extra “factor”.

You choices are “things that you are” and “things that you possess”.

“Things that you are” basically means using a biometric factor, such as a fingerprint or facial recognition scan.

This page focusses on “things that you possess”.

Enable two-factor authentication wherever you can

Because of the security benefits of having two-factor authentication in place, you should enable it wherever you can. This normally means “on every site and service which supports it”.

Have a back-up mechanism in case you lose your device(s)

A risk of enabling two-factor authentication is that, if you lose control of the second factor, you will be unable to access the service in question.

Backup one-time codes

If you are using one-time codes, you are usually prompted to download and save some backup codes, which you can use if you lose your one-time code generator.

If you use a password manager, and if you back this up, you might store your backup codes in that.

Alternatively, or perhaps additionally, you might print them off, and store them in a safe.

Backup hardware devices

If you are using a hardware device, good practice is to buy two identical devices, and configure them to mirror each other.

Keep one with you, to use for logging in, and keep the second in a safe.

Something you have: one-time codes

Some sites will let you configure your account to require you to put in a one-time code, in addition to your username and password.

These one-time codes are usually generated by a piece of software on your computer or phone, or else through a dedicated hardware device.

Backup codes.

Two hardware devices, so you can store a backup safely in safe.

Option of 2FA — so if you do make a mistake and give away your username and password, still hard for someone to make use of them, as they require an extra piece of data which (hopefully) on your can generate.

Downside of 2FA is that, if you lose your device, you may well be locked out of your accounts.

If the second code is delivered over SMS, you can probably get a new SIM, get your provider to move your number across to the new SIM, and you are up and running.

If you use an app — which means you are not reliant on getting an SMS — you may struggle more. I don’t have a great solution for this at the moment.

Hardware security tokens

Yubikeys

two-factor_authentication.1566369476.txt.gz · Last modified: 2021/07/06 10:26 (external edit)