Tempting Shortcuts
Working notes on the slower path

Notes > Tech > here

Setting up two-factor authentication

You really need to be using two-factor authentication, particularly for key services such as email and file storage and key companies such as Microsoft, Google and Apple.

In addition to your password, two-factor authentication adds a second piece of information to be required for logging into a service (hence two factors). What this looks like is that for a given service I will enter my username, my password and then be prompted for a one-time code. This code may be sent by SMS or retrieved from an app or other device.

This one-time code is set up on a second device, usually your phone, and is algorithmically generated and will expire after short duration, typically a minute. Banks use this type of system when they send out those ‘token generators’.

Therefore, while an attacker may have stolen your password to a service and possibly decrypted it, they cannot also generate the one-time key for that service and so cannot log in.

Two-factor authentication is available for Microsoft, Google, Apple, Github, Dropbox, Nextcloud1, etc

Before you turn it on, you will need an app for your phone to ‘capture’ and then generate the one-time codes. Google offers its Authenticator, but then do you trust them with all of your codes? Authy is another well regarded app, but some of its features make it less secure2. The more secure solution would be one that you can check the source code for and so that is why some recommend the open-source freeOTP.

An even better solution, as recommended in the Reddit thread above, is to use freeOTP and also capture the codes onto a second phone for backup purposes, hence removing the need to rely on Authy’s syncing.

As a general approach to set it up, you will need to log into the service, locate the settings (often under security) and turn on two-factor authentication. When you turn this on a unique code will be generated and this is usually presented as a QR code that you can simply scan in your app and all of the relevant details will be picked up and configured.

See the links above for examples of setting up those services.

  1. I have had problems logging into the native apps after it was turned on. I use it for the administrative account (you are using separate admin and users accounts aren’t you?) ↩︎

  2. They offer to ‘back up’ your codes to their servers making things easier to sync between devices, but also provides another opportunity for baddies to get at them ↩︎