Context for Clarity
A simple email and password combination is not enough to prevent bad actors (or hackers, if you will) from accessing your account. This is because possession of the credentials does not guarantee that the person accessing a service is the original user. There are several reasons using only passwords is not ideal:
- Bad passwords – Most people are lazy and use very simple passwords, or reuse the same password for every service they sign up for. A malicious user can use a dictionary-based attack (i.e. looking up commonly used strings of letters and numbers) to gain access quickly. If the password used is small, then simple brute force attacks can also be used to gain access. Credentials are leaked online when miscreants bypass the security of a service and dump any data in the public domain that they can get their hands on. At the very least, people should use a Password Manager like Bitwarden.
- Phishing scams and Social Engineering – People may have secure passwords, but they may get conned by fake sign up forms. They might even keep their passwords written somewhere, and any person with physical access to their workspace can get their credentials.
- No alternative means of access – If a password is the only thing that allows entry, and if the user loses that password, then they may get locked out. Providing additional steps to the authentication process (or an email at the very least) can allow the original user more flexibility, while simultaneously making it harder for third parties to gain access. These reasons pushed the adoption of additional layers of security for authentication.
Adding Layers
Often, companies use physical keys, such as special USB sticks, magnetic cards, for authenticating sessions. We deemed this idea viable for adoption for the general user because there’s always one physical means of verification that is almost always available: the smartphone.
It is a safe bet to assume that most of the people who make use of online services have access to a smartphone (their own, or of someone they trust at the very least). These pocket devices can perform general tasks. One of these include being able to store private keys and generate authentication codes for an extra password-like feature. The phones now act as physical security keys that can ensure a very secure way of authentication, without giving up too much on ease of use for the intended end user. They do this by making use of OTPs or One Time Passwords. One way to get OTPs is through email or SMS. Another is through hardware specific authenticator systems.
Authenticator Apps
There are a few apps available on the Play Store, and the iOS App Store that generate 2FA codes. I use Google Authenticator, but I also have Microsoft’s version, which functions similarly. The codes generated last for about 30 seconds (depending on the service) and then regenerate, rendering the previously generated string of digits ineffective. This method is good because the timing factor is independent of connectivity. Even if the phone has no access to the internet, or cannot receive SMS (and text message based OTPs), we can still rely on the 2FA codes generated. The only bit of information needed is an initial seed that the app can scan from a barcode or a QR code.
Avoiding Disaster
The 2FA codes generated are available offline on the device it was initially registered on. If you lose this device, you will lose access to the codes. There are a few to make sure that this does not happen:
- When registering your device for a service’s 2FA, make sure to download, backup and securely store the backup codes. Use these in the event that you have lost access to your phone. Store it in an encrypted vault, like the one present in OneDrive. Never, store passwords or recovery codes in plain text. Anyone with physical access to your device can get access to your accounts as well, even if they’re secured with 2FA.
- When upgrading to a new phone, make use of the export accounts feature on Google’s Authenticator app, to transfer the existing accounts’ 2FA configurations to the new device. If you’re using Microsoft’s Authenticator, make sure to turn on sync with your outlook account. This leads to easy syncing of the 2FA codes with the new device.
In the second case, make sure that your Microsoft account too has 2FA enabled and has robust security measures in place. Otherwise, attackers can get access to all of your recovery codes you have synced.
In the extreme case when have neither your backup codes, nor access to your 2FA device, the rescue mechanisms vary. Some of the methods are:
- Add a recovery email or phone number or both which you can use in case you forgot to save the backup codes. This should work in most instances. But remember that a chain is as strong as its weakest link. Do not keep unsecured ways of access to your accounts.
- If you’re logged in on another device like another phone or a laptop, you can remove 2FA from your account. Then log in with the simple email and password combo. After that, set up 2FA on the new device. This works on services like Google, Firefox, etc.
- Some services like GitLab allow the use of devices registered with SSH to generate new authentication codes. Log in using one of these codes and head straight to your security tab. Disconnect your 2FA device. Connect new device for the same. Regenerate new backup codes. Download them.
- A few services however, are a bit more difficult to deal with. For Discord, you need to contact their customer support and let them know. Same for Web Hosting services like Hostinger. They require communication through email, and can sometimes ask for proof. For Ubisoft, they might ask you to confirm your previous purchases by asking for your invoice and license keys through their customer support chat platform (and not email).
Such procedures are necessary because they first need to establish the identity of the individual making the request to reset 2FA. If they slip up and allow access to a malicious third-party, they’ll end up in hot water. However, the best way to avoid these cumbersome protocols is to not lose the backup codes in the first place.
If you lose your device, assume that all of your data is public, and it compromises the security of all your accounts.
Concluding Thoughts
Online security is an increasingly important issue. Especially because we are at a crucial juncture where most of the work we do is moving online. It is high-time we supplement the basic security of the accounts we create with 2 factor authentication systems. Albeit the process is more involved, the extra level of security (and the ensuing peace of mind) is worth it. The only thing to take care of is preserving the backup codes, in case we lose the physical device needed for verification. We are human, and we will make mistakes. It’s about minimising the chances and having some breathing room in case we get ourselves into a pickle.