How to use two-factor authentication the right way

Topic

New Reply

SECURITY By Lance Whitney Two-factor authentication is still one of the best ways to protect your accounts. But there are right and wrong ways to use
[See the full post at: How to use two-factor authentication the right way]

10 users thanked author for this post.

ibe98765, Heraclitus, WSGeo, lmacri, F A Kramer, Cindy McKimm, rc primak, wdburt1, Simon_Weel, Alex5723

Reply | Quote

Replies

There’s at least one category of people not very happy with 2FA – the handicapped. My wife is severely handicapped due to spinal muscular atrophy, meaning she doesn’t have much muscle. Picking up a phone takes all she’s got. Entering a 2FA code is no problem, but she can’t scan a QR-code; someone else has to do that for her. And that’s a problem since more and more websites switch to QR-code-only authentication…

Reply | Quote

Good point. A lot of sites still offer an alternative method to scanning a QR code for an authenticator. But increasingly, many do not. So your only option is to try to scan the code or choose a different method, such as an SMS text (which isn’t secure) or a security key (which is secure but requires you to purchase that physical key).

1 user thanked author for this post.

rc primak

Reply | Quote

Google gmail and Microsoft Outlook have a fraught relationship. Google lists Outlook as a risky application. I changed my gmail account to have 2FA and Outlook could no longer retrieve email from that account. Had to turn 2FA back off.

Reply | Quote

I’ve seen that problem before. You have to configure Google to allow account access to specific third-party apps. If you still want to try this, go to your Google account and select Security and then click the link for Manage third-party access. Make sure that Microsoft apps and services have access to Gmail. I believe that should fix this.

Reply | Quote

What happens your cell phone dies or is stolen… or the authentication app stops working or is accidentally deleted and you don’t have a backup phone? It gets complicated quickly.

For banking and financial accounts I have access either physically or through my broker. So good to go there.

For the rest I make the decision based on the question: what happens if I don’t have access? Can I live without it… at least until I can restore access?

1 user thanked author for this post.

WSGeo

Reply | Quote

Those are valid points. And they go to the very nature of 2FA. Authenticating your account logins this way requires a separate device, either a mobile phone or a physical security key. So you are dependent on that additional device. The only alternative to this is biometric security, such as using facial or fingerprint recognition. My laptop, for example, has a built-in camera and fingerprint reader that can authenticate my logins. But this type of authentication isn’t as widely supported as more traditional 2FA. So there are pitfalls to any authentication method.

3 users thanked author for this post.

Biiljoy, WSlagunacreek, rc primak

Reply | Quote

I consider two “worst-case scenarios”:

1. I am traveling alone in a place where I don’t know anyone, and my wallet and cell phone are stolen. I can perhaps persuade someone — a hotel manager, for example — to let me use an Internet-connected computer, but I can’t install any software and I have nothing with which to authenticate myself but the information in my head. Can I get my bank to wire money, find phone numbers or addresses and inform friends, etc? Remember, all my contacts were in my cell phone, which I no longer have.

2. My house catches fire and when I run out in a panic, I don’t have my cell phone. All my “trusted” devices, along with any printed papers or storage devices containing backup codes, are destroyed. How will I get access to my insurance documents (online), my backups (since physical ones were destroyed) and all other accounts?

It seems to me that 2FA trades one security problem (someone who shouldn’t get access can) for another (someone who should get access can’t). What never ceases to anger me is when providers don’t let me choose my own level of concern for each of those possibilities. I do use a password manager (KeeWeb/KeePass). The database is stored in multiple places online, I can get to the software to read it in a web browser from at least two places, and by the time a hacker could crack its pass phrase, it is certain that I will no longer be here to care.

For a short time I used Google Drive for online backup. Then I realized that in a crisis scenario — just when I might really need my backups — I would quite likely be locked out of my Google accounts… and given Google’s complete lack of customer service, the lockout could easily be permanent. Of course, anything sensitive I store online is encrypted before I upload it — so I’m far more concerned about being able to get to my backups under adverse conditions than I am about someone getting access to my encrypted files.

1 user thanked author for this post.

wavy

Reply | Quote

There’s always going to be a worst-case scenario for any type of security technology, and often more than one. It’s unavoidable. That’s just the reality of it. But imperfect though it may be, 2FA is still one of the best ways to protect your credentials, at least until an easier and perhaps more reliable option comes along.

Reply | Quote

While no solution is perfect, for the home computer user I do not understand why registering that computer is not an adequate solution, avoiding the need for texts and telephone calls. What am I missing?

Yes, of course, someone can break in and steal the computer, then bruteforce account passwords at their leisure. Or a houseguest could slip into the home office. Or lightning could strike.

Reply | Quote

Or what if you are far from home and need to move some cash for an emergency?

-- rc primak

Reply | Quote

My response to this article specified “for the home computer user.”

As for traveling, your reply seems to assume that I would “move cash” using a smartphone.  Sort of like the way people used to buy travelers’ checks, before credit cards became common.

If, say, I totaled the car and needed to buy a new one, credit cards with adequate limits would seem to be a better answer.

If I need to go somewhere where they are not useful, well, then, I’ll consider my options.

Reply | Quote

Do car dealerships accept credit cards? They would lose that 2 3 %

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Can you really buy a car on a credit card? Wow! Some credit car. Or maybe a car that has seen better days?

Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

Reply | Quote

For your home PC, hopefully you’re using some type of biometric authentication. For instance, Windows Hello lets you set up a PIN, fingerprint scan, or facial scan. So you don’t have to deal with passwords or two-factor authentication.

Reply | Quote

I found this article disappointingly out of touch with how computers are actually used. AskWoody authors have constantly reminded us the make and verify at least 2 backups of our computers. OK. Following AskWoody advice, how do I make backups of my two-factor authentication? To be specific, how do I recover if my phone is broken, stolen or lost, or I lose my keyring containing my Yubikey?

I have a child who is for want of a better word “ditsy”, constantly losing or forgetting things. If she forgets her phone, how does she do two-factor authentication to gain access to her online accounts?

Every month or so, my wife or one of my children phones me to say something along the lines of ‘I need a file from my home computer. Can you attach it to an email for me?” How do I do this if we are using two-factor authentication instead of passwords? We need multiple devices that can authenticate access to the same account.

These scenarios (and similar ones) are common. There is no point to investing in two-factor authentication until there are clear solutions. Could we have a followup article on solutions to these sorts of problems?

 

3 users thanked author for this post.

jburk07, Biiljoy, wdburt1

Reply | Quote

I’ve talked about this a couple of times.  Google auth has the easiest method to back up the two factor. You can export it out to another google auth app like on a tablet or even another person’s phone entirely.  Microsoft auth app you have to back it up to a Microsoft account.

Susan Bradley Patch Lady

2 users thanked author for this post.

jburk07, rc primak

Reply | Quote

Not sure what you mean by “out of touch.” Is two-factor authentication perfect? Of course not. It does require an additional device. That’s what we mean by two factor, as in a second device. That’s either going to be a mobile phone or a physical security key, or even a smartwatch. The Apple Watch can handle 2FA requests. But if someone keeps losing or misplacing all of these items, then you’re right, 2FA isn’t going to work for that person. It does require some effort, as do most things in life.

Reply | Quote

Several major accounts now require(!) that I use one and only one method of 2FA. I must a enter a code sent to my wireless ten-digit telephone number. I do not have a wireless phone and have no other need or reason to pay the hundreds of dollars necessary to obtain one on my limited, fixed, income. (Samsung and Yahoo Mail are two examples doing this; I have encountered others.) Apparently, the people setting up these systems are so immersed in their own advanced tech world that they cannot imagine how many of us more modestly must live and work.

6 users thanked author for this post.

WCHS, jburk07, Biiljoy, mtman6698, wdburt1, grandma78633

Reply | Quote

I have Yahoo Mail. There is no such requirement. Yahoo allows me to set up for each application and each device, a one-time App Password. In place of my Yahoo Password in the app (email client for example) or when doing a login on the device, I enter the App Password and have it saved. For Web Mail, this is not (yet) a requirement.

For gmail I do have to use my phone to log into Google (does not require additional steps) or have my phone ready to log in from any other device. However, I have an email client which has the app password, the same way I can do for Yahoo Mail.

Web Mail is where installing an authenticator app, and using an app password for the authenticator app, would be the way to go if you don’t have or use a phone. Or purchase one of those Bluetooth-Nearfield-USB physical keys and use that.

Eventually everyone will need to get past password-only logins.

-- rc primak

1 user thanked author for this post.

jburk07

Reply | Quote

I have an AT&T account for email. AT&T uses Yahoo Mail to provide the service. In trying to setup my AT&T email account on a new Samsung Tablet using Android, Yahoo Mail required that I enter my AT&T email address as asked for by the setup software. I was then asked to verify my identity by also entering my AT&T password. Fine. Then I was to enter my postal zip code. Well, OK. Finally, I was required to enter my ten-digit wireless phone number to get a code. It sure looks like Yahoo Mail is requiring a wireless number! I would welcome an explanation as to how to get around this apparent barrier to the service that I am paying for. Using a web browser to access my email account encounters this same “wireless required” behavior.

AT&T support will not give me an answer or means of getting around this problem. Yahoo Mail the same. Neither supplies real support for their customers in my experience, only canned, automated responses. Maybe that is part of the reason that Yahoo, for example, has declined in popularity.

I repeat: the people that set up these requirements live in a tech-centered world without contact with the real world I occupy.

1 user thanked author for this post.

WCHS

Reply | Quote

If you don’t have or want to get a mobile phone, then a physical security key is another option. If you don’t want to buy one of those, then two-factor authentication is not for you. Given that, however, how else would you authenticate your account logins with an extra form of security? Two-factor authentication means exactly that, a second form of authentication, meaning a second type of device. Biometric scans, such as fingerprint or facial recognition, are certainly an easier option. But those aren’t universally supported on the web. So for now 2FA is really the only viable choice in many cases.

Reply | Quote

2 factor authentication may be a good thing for businesses that need security.  But as a 76 year old long time computer user who does NOT always have my cell phone handy (it is my PHONE, NOT my COMPUTER) I find it extremely annoying when it is FORCED upon me!

I use my phone ONLY as a phone/communication device.  I have NO banking or financial apps on it.  That is what my “computer” is for.  Sending me a verification code in email is annoying, but OK since I am obviously on the computer.  But PLEASE do not force me to wear a leash to my cell phone!!!

And oh by the way, what happens if you have lost your phone or IT has been stolen?  Are you then locked out of everything???

3 users thanked author for this post.

OscarCP, F A Kramer, wdburt1

Reply | Quote

See my Reply about App Passwords instead. And Authenticator Apps, which have other options. Apps are not just for phones. Alternatively, having a hardware key is a possibility, though not an easy one for those who don’t want to use or can’t manage with, smartphones.

The alternative is getting your accounts hacked and your personal info sold or impersonated. Password security is no longer adequate. Technology has moved on.

This is a security issue, not a scheme to make our lives difficult. And there’s no direct way companies make money from requiring 2FA. Except for Yubi and others who make hardware keys.

-- rc primak

Reply | Quote

Two-factor authentication by its definition requires a second device. That’s the nature of the technology. If you don’t want to use a mobile phone, then a security key is another option. If you don’t want to use that, then this option really isn’t for you.

Reply | Quote

How about just using a second password or number as an access? I find that providing my phone number to receive a text that has a code to open a program or sign on to another system to be a problem, in that I have now given my phone number to a computer that can provide it to everyone in the world for the purpose of selling me something.

1 user thanked author for this post.

wdburt1

Reply | Quote

All passwords, no matter how you chain them, can be broken and otherwise hacked way too easily these days. And it’s getting rapidly worse.

-- rc primak

1 user thanked author for this post.

Lance Whitney

Reply | Quote

“Using brute-force tools, hackers quickly run through thousands of password combinations until they find the one that matches your account. ”

This does not apply to online accounts as nearly all of them have lock-out policies that prevent or substantially slow down brute force attacks.

The main concern with online accounts are stolen credentials.  Many people re-use the same email and password combination for nearly everything online.  If one site is breached, the criminal will now try the stolen password on other sites.  No brute  forcing necessary.

1 user thanked author for this post.

WCHS

Reply | Quote

2FA is too easy to bypass now a days. It made sense 5+ years ago but now it is useless. Cell phone clone and sim card swapping has become so easy that it can be done with a device that cost less the $50 bucks. Most people log in from the same IP provider. Anyone that logs in from else were should be autoblock. Except would be, could add that will login from unknown location from X date to Y date and need to provide a generated pin for that before you leave. This would work better than 2FA. 2FA is mostly done for tracking person and rather than security now a days.

Reply | Quote

We’ve had this conversation before Mr. Anon.  What would your solution be?

Susan Bradley Patch Lady

Reply | Quote

The article covered problems like these with using phones as the second factor. Alternatives are biometrics, which have their own issues, or hardware keys with their plus and minus issues.

I agree that given a choice, if I already had a key device, I would never use a phone to verify my logins.

Blocking logins from all devices except the registered device would be mighty inconvenient if you lose your phone or it gets hacked or stolen. You would have no other way to log in. Same if your primary computer ever got lost, replaced, stolen or hacked. Or if you have a real money emergency and you are far from home.

Customer support (help desk) people do not enjoy all the account lock-out calls they already receive. And how would we verify ourselves to a help desk rep? And how would we contact Support without a way to log onto the Internet?

-- rc primak

1 user thanked author for this post.

Sueska

Reply | Quote

I have multiple e-mail accounts.  I don’t use e-mail on my phone at all.  However I do use one of them because of access to google.play, or some other reason.  How does an authenticator app work with that scenario?  Also, does Google require Google Authenticator or will another work?  I’m concerned about them having too much info.  I’ve been looking at 2FA by Authy.  So confused.

Reply | Quote

Authy and 0Auth will work across multiple sites. Maybe not for every site, but for the major players like the ones you have mentioned.

-- rc primak

1 user thanked author for this post.

Cindy McKimm

Reply | Quote

One problem with Google Authenticator that I encountered is the need to follow protocol when you get a new phone.  I cavalierly thought that just transferring data from my old Pixel phone to the new one would transfer everything.  It did not and I ended up locked out of business PayPal account as the Authenticator, though on the phone, did not have the information for this account.  It was only after the transfer and that I foolishly did a factory reset of the old one that I looked up how to do the transfer and realized the big mistake I made.  Fortunately it was only the one account .

Normally I use text message 2FA for all accounts.

Reply | Quote

I love using my hardware key for 2fa. It is so convenient. However my concern is what happens when it stops working or is lost. Some accounts asked me to set up emergency recovery codes as a back up during the hardware key setup. Not bad if I could remember which accts and where the recovery codes are located. Some sites give you the opportunity to choose an alternative method of authenticating if the key fails. It is a good idea to test the scenarios. You may find, as I did, that authenticating falls back on using the less secure SMS text method when you select use an alternate method to authenticate.

Reply | Quote

The article omitted a 2FA option – phone calls. Some companies, rather than texting a temporary code will call you and speak the code. This has two upsides. (1) It avoids insecure text messages and (2) the phone number does not have to be a cell phone, thus avoiding SIM card swapping issues. The phone number can even be a land line.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

3 users thanked author for this post.

jburk07, DrBonzo, wdburt1

Reply | Quote

One solution for a lost/broken/stolen cellphone is not to be dependent on a single phone in the first place. You can do this with a Wi-Fi only phone number. That is, use a phone number that is tied to a mobile app, rather than to a physical phone.

The app can be installed on any iOS or Android device and as long as that device can get online, it can get 2FA text messages. TextNow and Google Voice are two solutions, no doubt there are dozens more. I would be curious to hear feedback on other Wi-Fi only phone number providers.

This would be a great follow-up article.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

4 users thanked author for this post.

jburk07, SueW, DrBonzo, wdburt1

Reply | Quote

TextNow and Google Voice are two solutions, no doubt there are dozens more.

Alas, it is not uncommon for “VOIP” phone numbers — anything that can’t be directly associated with a major carrier, I think — to be rejected as ineligible for use in two-factor authentication. One of my banks flat-out says my Google voice number is “not a valid phone number.”

1 user thanked author for this post.

SueW

Reply | Quote

Some thoughts on this and a comment: Lance Whitney wrote: “Apple requires two-factor authentication to sign in to your Apple account and other pages.”

This is news to me. I have had the Mac I am using now to type this in for almost five years, and the only thing I have ever needed to access Apple has been my Mac’s login password and, occasionally, also my email address that, at least in my case, serves as the user ID.

As to two-factor authentication that relies on people having cellphones, that is outright ignorant discrimination.

One way to have some decent, but not infallible (because what is?) hacker-poof discrimination, when using a laptop or a desktop — i.e. something with actual ports in it — is the use of a normal login password plus the use of a PIN, a copy of which is also kept in a device that is plugged in, such as a USB thumb flash drive, so the connection has to be validated by both the password being the correct one and the PIN entered agreeing with the one in the device.

Even more secure, but less convenient, is the use of both a PIN and a token, the latter being a random number one also needs to enter and that is generated by a plug-in device every several seconds, before the connection is made, a device with an internal clock that keeps it in sync with the server of a restricted site one needs to access on a regular basis and where the same number is generated and then changed every set number of seconds. This also uses a form of encryption, such as RSA.

As a desktop is unlikely to go places, the problem with the change of location, mentioned in some previous comments made here, does not arise. And some people, myself, for example, use a laptop because it is handy to move it around the house, but it never sees the outside world, other that very rarely, for example to go to a repair shop.

Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

Reply | Quote

Well written article.  Unfortunately, many companies do not give you a choice in how you are to request the authentication request.  One example:  Microsoft, requires you to have a smartphone.  If you do not have one, tough “suds.”  Microsoft does not give you an alternate mechanism, such as a land-line to receive a voice code.  So, I am unable to correct the mess they have created.  (It is unreasonable for me to have to pay $95 for up to one hour of tech support–hoping they can fix the mess.)

1 user thanked author for this post.

wdburt1

Reply | Quote

With the new FIDO passwordless sign-in 2FA will be eliminated..

Reply | Quote

True. But that will still require a mobile phone. Your phone would store the FIDO passkey credentials that would log you into accounts, both on the phone itself and on any nearby PC or other device via Bluetooth. This would eliminate or at least reduce the need for passwords. But you’d still need to have your phone with you, which apparently some of the commenters here feel is unfair.

Reply | Quote

Why was receiving the [6-digit] numerical code by email left out in the article? Some sites support this 2FA method.  For example, the 2FA directory has a column for the email 2FA method.

Then suppose your web logins to email accounts are already protected by the 2FA authenticator app method and/or security key method.

1 user thanked author for this post.

F A Kramer

Reply | Quote

You are correct that some sites support email 2FA. My bank does. But as I have already noted here, Samsung and AT&T (Yahoo Mail) do not for me. Could it be the reason is that Samsung and AT&T have a “sellphone” business?

Reply | Quote

You indicate that text/sms is the least secure means of 2FA, but what about receiving the code via email or even a phone call (seems to be common options)?

Reply | Quote

I use a third party authenticator app on my phone and back up the phone with a laptop, and backup the laptop with external hard drive.  The only 2fa I have had foisted on me that’s terrible is my university has it’s own authentication app that you need on your phone to access classes, finances, grades, zoom, email, etc.  The app is closed source, I wonder what it’s doing with my data?  It’s called RapidIdentity

https://apps.apple.com/us/app/rapididentity/id1230131130

Two star rating, no choice but to install it.  The install was super painful when the automatic install didn’t work, I had to comb the schools documentation and manually enter the schools auth address and port numbers.  The school was phished for all it’s employees w-2’s a few years ago and I guess this is some board room’s answer.

Reply | Quote

Good point.  How much of this is driven by people who feel the need to show that they care about security:

• senior management
• boards of directors
• lawyers
• accounting firms required by recent federal laws to audit adequacy of control systems
• regulators that impose similar requirements of their own
• consultants

Most of these people don’t know what they’re talking about.  I say this from experience as former chief operating officer of a company required to meet the requirements noted above.

2 users thanked author for this post.

WSGeo, OscarCP

Reply | Quote

Exactly. “We have to do SOMETHING!”

And some of it is an attempt at CYA, when you try to make a claim with the insurance company to cover your losses after a hack.

But why do I feel like this is fighting the last war.

 

1 user thanked author for this post.

wdburt1

Reply | Quote

One aspect of two-factor authentication that I don’t see discussed, is what happens when the cell-phone that’s tied to TFA isn’t available? It could simply be out of juice, in the shop because you dropped it and cracked the screen, you accidentally left it at home or work, it’s been stolen, etc. Or you just don’t have cell-phone service at the moment.

In effect, you could find yourself locked out of your own account.

1 user thanked author for this post.

wdburt1

Reply | Quote

I don’t believe I have any accounts left with 2FA turned on.  Generally too much work to logon for no good reasons for me.  I did have a security key for eBay and PayPal but they dumped support for that method a while ago.

Then Google forced turned on 2FA on Gmail accounts not too long ago.  I had to go to the 10 GMail  accounts I have and turn it off.  Thanks Google.

Reply | Quote

Coises wrote:

so I’m far more concerned about being able to get to my backups under adverse conditions than I am about someone getting access to my encrypted files.

You buy a new smartphone, tablet, laptop.. and restore all your data from backups (cloud…). You are up in minutes.

Reply | Quote

Coises wrote:

I am traveling alone in a place where I don’t know anyone, and my wallet and cell phone are stolen.

For #1 Good solutions are awaited. Until then:
Leave some Traveler’s Checks in the hotel room?

Safe deposit box for the second.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote