Random Thoughts About Two Factor Authentication Or 2FA

Posted on by January 9, 2015

I recently decided that I had a need to make my Google mail account more secure because I wanted to receive what you might call “official” mail from certain companies.  I decided to enable Two Factor Authentication or 2FA.  Another term for this is Multi Factor Authentication.

http://en.wikipedia.org/wiki/Multi-factor_authentication

Googling this yields huge numbers of results.  I’ll leave it to the reader to explore as deeply into those as desired.  But, in essence, 2FA makes it so you must enter something other than your user name and password to log into something.  Thus, if your user name and password are stolen as part of a security breach, the bad guys still cannot log into your account.

2FA generally uses A) something you know (like your debit card pin), B) something you have (like your cell phone), or C) something that’s part of your physical identity (like your fingerprint).

Option B, something you have, is particularly useful.  Since the bad guy won’t have this if he’s trying to attack you remotely, this is a good security measure.  A very common technique is for a company to provide you with a physical token or key fob or card, etc. which generally has a button that you press to get a number.  So, you would go to log in, enter your user name and password, then press the button on your token, read the number, and enter that.  Without the token, it is more difficult to log in.  And, a bad guy is unlikely to have your token.

I say more difficult because the companies usually provide a backup way for you to log in without the token if you’ve forgotten it, for example.  This is because they don’t want the tech support overhead of having people who’ve forgotten or lost their token getting locked out of their account and tying up the support reps’ time to reset everything.  After all, you (customers) are only human.  So, while procedures vary from site to site, if you click the link to log in without your token, the site will generally ask you for other data which you’re supposed to know to verify your identity.  This may include things such as the last 4 digits of your social security number, the answer to your security questions, the last payment you made, the last 4 digits of the credit card you pay with, etc.

Unfortunately, this backdoor used to make up for your own humanity can also allow bad guys a toehold to try to get into your account.  However, HAVING 2FA on is still much better than NOT having it on.  So, I recommend it for your accounts which need extra security.  Think of it this way, if XYZ Big Company had a breech and lost it’s security database with your credentials, would you want criminals and thieves reading and posting on your social media accounts or reading your email and sending messages on your behalf?  When you think of it that way, you’ll see that many more of your accounts might be considered SENSITIVE.

Another popular variation on the something you have concept relies on your cell phone.  Most cell phones made within the last decade can receive text messages, although not all users want to pay for that feature.  The general approach is that when you log in, and enter your user name and password, a text message is sent to your phone with a code number or word, etc.  You read the word off the phone and type it into the login screen.  Then the site lets you in.  Again, the bad guy is unlikely to have your cell phone.

(By the way, a related topic, outside the scope of this article, is the use of your alternate communications channels to receive security alerts.  So, for example, your bank could text or call you if suspicious activity is detected.  You generally have to set this up on the security portion of your profile screen for each account where it’s relevant.)

Unfortunately, setting up and using 2FA can be a bit tedious.  And, there are some potholes you may fall into.  Here are some more or less random items from my own experience setting up 2FA on a few of my accounts, starting with Google.  Much of this applies to other vendors too.  (This is NOT a step by step procedure, but covers general concepts.)

* Set up your cell phone for 2FA.

For Google, log into your account, go to your profile, and into the security section.  Tell it you want to add a phone for 2FA, tell it you have a mobile phone, and add the number.  It will want to send your phone an SMS (text) message for testing.  Let it.

* My test text message failed.

I don’t know the reason, but the text message to my phone failed twice.  I’ve never seen hide nor hair of it.  So, in this case, you can tell Google that you didn’t get the message.

* If you don’t get the message, or you’re entering a voice only phone number, tell the system to call you instead of text you.

If you have to use this option, if it’s available on the system in question (it is for Google), then, when you log in, the system will literally call you on the phone and read you the 2nd factor to log in with an automated voice.  Then you type that in.  This will happen every time you log in.  Some systems, even if you’ve requested text messages, will allow voice fail over so you can tell them you didn’t get the message, then they call you.  You may think you’re done now, but you’re not.

* Enter a backup phone number.

Google strongly recommends you enter a backup phone number.  This could be another cell phone or your house phone, etc.  In particular, if you have difficulty receiving texts, or you travel a lot, you may want to set the second number for voice calls rather than text messages.  You’re still not done.

* Retrieve one time pass codes.

As an additional way to keep from getting locked out of your account (on Google), you can access and print or download one time pass codes to allow you to log in.  You should do that.  Now, try to store the pass codes somewhere where the bad guy can’t get them if he, for example, steals your PC or phone.  I store mine in an encrypted note in LastPass.  You’re still not done.

* Go enter your account recovery data.

Google wants backup methods to contact you and verify your identity.  Go to account recovery options.  Enter a backup email.  Also, enter your security question(s).  If you have to try to log in using a method other than your 2FA, these various things will help you get into your account and still, hopefully, keep the bad guys out.

* Your tablet or smart phone was just locked out of your Google account.

Once you’ve enabled 2FA on Google, it’s possible (probable) that your tablet or smart phone will get locked out of your Google account.  That’s because it doesn’t have the 2nd factor to log in.  The solution is to go into the app passwords section of your account and generate a custom 16 character password for your device.  You can even give it a custom name, like “Android Tablet”, or whatever.  Once you generate the password, go to your device, which is probably complaining because it can’t log in, tell it to try to log in, and enter the new password.  Use a different password for each device.

* Don’t trust my PC.

On the login screen, you may see a check box that says trust my PC, or remember my PC, or something similar.  If you check it, your 2nd factor won’t be required when you log in with the same device.  That may apply for a set time, like 30 days, or it may apply indefinitely.  It’s just my opinion, but I DON’T check the box.  And, I make sure it’s not checked each time I log in.  I figure I don’t want it to be incredibly easy for someone to log into my accounts if they stole my pc.

* TADA!  Now you’re done.  NOT.

OK, so now you’re sitting pretty.  Your sensitive account(s) is / are protected by 2FA (if they support it).  You get appropriately grilled by the system to get into it, for something you have, preferably.  But, if you don’t have it, you at least get grilled for something you know that the bad guys don’t, hopefully.  You have backup contact methods so the company can still get you if your phone is lost or stolen or your email changes.  What’s not to like?  Here are some more things to think about.

* What if you have to UNWIND or ALTER all this?

What if your phone number(s) change?  What if your email changes?  What if your phone is run over by a truck?  What if your phone is stolen?  What if your PC is damaged or stolen?  What if your physical security token is damaged or stolen?

I used to own another domain name other than the one this blog is on.  I, literally, had been using it for a decade.  And, I had HUNDREDS of entities sending email to that domain.  Then, I sold it.  Now, getting some spending money was nice.  But, 2 years later, I’m STILL going through the PAIN of people sending me email, some of which I want, to the old domain.  Now, I had the most important email addresses forwarded.  So, at least I KNOW someone is sending me mail.  But, what if I never saw those mails again?  The point is, maybe you want your backup email to be in a different domain than your primary address.  Maybe your primary is email that comes to Gmail and your secondary goes to Comcast, or whatever.  Even if that’s the case, you can still forward from Comcast to Gmail so you don’t normally have to log in to both.

First and foremost, you have to at least know which vendors you have 2FA with and what that factor is.  Easy if Google is the only one.  But, what if you have 5, or 10, all of which have different (or at least some different) factors, different security questions, different procedures, different backup contacts?  This could get to be a royal mess.  In this case, LastPass is my friend.  Every time I set up another vendor with 2FA, at the very least, I put their name in a private note in LastPass.  So, if I ever have to change all my 2FA stuff, I at least know I have to go to Google, my payment site, my other site, my other site, etc. and change all the relevant data.

I also make an entry in the notes portion for the LastPass record for EACH vendor that’s using 2FA.  So, when I click on the LastPass record for Google, for example, to log in, I know right then to expect a phone call or text message.  Finally, I sometimes put data regarding security questions, etc. in those same notes.

* What about your Spouse?  Significant other?  Family?  Executor?  Attorney?  Heirs?

No one wants to think about leaving the scene – permanently.  But, unless we’re around when Jesus returns, we’re all going to leave the scene.  So, do you want people such as those mentioned to have access to your accounts?  Do you want them NOT to have access?  These are complex issues I haven’t nailed down personally yet.  But I plan to be thinking about them.  You should too.

* Two more tidbits.

Here are two more 2FA methods to consider, which I have no experience with.  And, there are probably many more I don’t know about.  But, I wanted to share these for completeness.

Google Authenticator:
http://en.wikipedia.org/wiki/Google_Authenticator

Yubikey
http://www.yubico.com/
http://www.yubico.com/products/yubikey-hardware/

Well, I’ve presented a number of potential issues you need to consider which relate to Two Factor Authentication.  I hope you find the information helpful.

Ron