User Tools

Site Tools


two-factor_authentication

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
two-factor_authentication [2019/08/21 07:45]
neil
two-factor_authentication [2021/07/06 10:26] (current)
Line 5: Line 5:
   * [[two-factor_authentication#Enable two-factor authentication wherever you can|Enable two-factor authentication wherever you can]]   * [[two-factor_authentication#Enable two-factor authentication wherever you can|Enable two-factor authentication wherever you can]]
   * [[two-factor_authentication#Have a back-up mechanism in case you lose your device(s)|Have a back-up mechanism in case you lose your device(s)]]   * [[two-factor_authentication#Have a back-up mechanism in case you lose your device(s)|Have a back-up mechanism in case you lose your device(s)]]
 +  * [[two-factor_authentication#Something you have: one-time codes|Something you have: one-time codes]]
  
 ===="Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know==== ===="Two-factor authentication" means using something you are, or something you have, to log in to a site, rather than just something you know====
Line 23: Line 24:
  
 Check first that you can use whatever two-factor approach you are using on whatever devices you tend to use. If you primarily use your phone, and the service requires a hardware device which is incompatible with your phone, you'll be causing yourself a lot of inconvenience, which may overreach the security benefit. Check first that you can use whatever two-factor approach you are using on whatever devices you tend to use. If you primarily use your phone, and the service requires a hardware device which is incompatible with your phone, you'll be causing yourself a lot of inconvenience, which may overreach the security benefit.
 +
 +Some password managers will suggest logins for which two-factor authentication is available. There's also a good list [[https://www.telesign.com/turnon2fa/tutorials/|here]].
  
 ====Have a back-up mechanism in case you lose your device(s)==== ====Have a back-up mechanism in case you lose your device(s)====
Line 48: Line 51:
 These one-time codes are usually generated by a piece of software on your computer or phone, or else through a dedicated hardware device. These one-time codes are usually generated by a piece of software on your computer or phone, or else through a dedicated hardware device.
  
-===Time-based One-Time Passwords (TOTP)===+===Time-based One-Time Passwords (TOTP) are common and easy to use=== 
 + 
 +Lots of sites support one-time codes, which changes after a few seconds. This is known as "TOTP" or "time-based one-time passwords"
 + 
 +Once set up, you need to log in using your username and password, and then put in the current code before it expires. This means that you always need to have the mechanism to generate the code to hand, when you want to log in. 
 + 
 +These work by generating a special code, which you store on a device, and which the service stores. So, to use TOTP, you need a means of storing this special code. (You may not even see the special code; you may just need to scan a QR code, which automates the storage, so that you see only the effect of it, which is the generation of six-digit one-time passwords, which change routinely). 
 + 
 +You might be able to use [[passwords#Use a password manager|password manager]] to store your codes, along with your site login, if you are comfortable storing everything in one place. 
 + 
 +Alternatively, you can use a dedicated app, such as "Google Authenticator"
 + 
 +You might also use a hardware device.
  
 ===Avoid text message for delivery of codes === ===Avoid text message for delivery of codes ===
Line 57: Line 72:
  
 Second, if someone manages to hijack your phone number (sometimes known as "SIM swapping"), they get all your messages and calls. Irritating at the best of times, but even more problematic if you rely on text messaging to log in to your services — the double whammy of you not being able to log in until you get it fixed, and someone else getting your codes. Second, if someone manages to hijack your phone number (sometimes known as "SIM swapping"), they get all your messages and calls. Irritating at the best of times, but even more problematic if you rely on text messaging to log in to your services — the double whammy of you not being able to log in until you get it fixed, and someone else getting your codes.
 +
 +Third, if you are out of signal, you cannot get your code — no good for places with Internet connectivity, but no or poor cellular service.
  
  
two-factor_authentication.1566369924.txt.gz · Last modified: 2021/07/06 10:26 (external edit)