Two Factor Authentication & Password Managers – Part I

In my Boston based international IT consulting practice — I get lots of questions from customers on information security issues of the day. A most common issue I hear is about password security and even more frequently – two factor authentication. In this first installment on two factor authentication I will detail the basics of setting up two factor authentication on major websites & services you use every day.

Wikipedia defines two-factor authentication as:
Multi-factor authentication (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inference factor (“something only the user is”). Google describes it well in the video below:

)

In the case of the websites, social media and cloud services we use daily – two factor authentication refers to authentication that goes beyond a simple password. It requires something you know (your password) and something you have (in this case your smart phone or related application on it). This makes it much more difficult for a cybercriminal to steal your identity, damage your financial livelyhood, brand or identity with your username/password alone.

Note: There is no such thing as ironclad impenetrable security solutions. There will always be risks and weaknesses that the cybercriminal will exploit. In the case of two factor authentication a cybercriminal can use technical means like a man in the middle attack or trojan application on your phone to capture your other required authentication information. My point is to a determined attacker – little will stop their attempts. Either way, TFA is still a good step forward and I recommend embracing it immediately along side password managers.

Why Password Managers

Have you ever been in an office and walked up to someone’s desk only to see a sticky note with all of their usernames and passwords on the top of their monitor? This makes me cringe. This simple example shows what is wrong with traditional passwords. They are hard to remember and annoying to manage. Why not get an application that would make it far easier to manage this process? That is where password managers come in. They allow you to save all of your passwords in a encrypted password safe that is much more secure than that sticky note on your desk. Additionally, most of these applications will allow you generate more secure passwords for the sites & service you use. Like I always say, these are no panacea but a good step in the right direction when coupled with 2 factor authentication.

Password Managers

RoboForm – Windows, OSX, Mobile http://www.roboform.com/
LastPass – Windows, OSX, Mobile http://lastpass.com/
Bitwarden – Open Source – Windows, OSX, Linux, Mobile, etc. https://bitwarden.com/
Dashlane – Windows, OSX, Mobile https://www.dashlane.com/
KeePassX – Open Source – Windows, OSX, Linux, Mobile, etc. http://keepass.info/
KeePass – Open Source – Windows, OSX, Linux, Mobile, etc. http://www.keepassx.org/
KeePassXC – Open Source – Windows, OSX, Linux, Mobile, etc. https://keepassxc.org//
Password Safe – Open Source – Windows XP, Vista, 7 and 8 only. https://pwsafe.org/

Turning on Two Factor Authentication

As I said above, combining two factor authentication and a password manager is a powerful step forward from the conventional passwords. You should turn on two factor authentication on all the online services you currently use. Below are links to instructions to turning on two factor authentication in the most common services.

Apple:

Apple’s form of 2FA is a 4-digit text message code sent to your phone. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://appleid.apple.com/
Apple’s Documentation
https://support.apple.com/kb/HT5570

Google/Gmail:

Google two factor authentication, or as Google calls it “2-Step Verification” can work both over SMS (Text message) or with Google Authenticator app. This is available for Android, iOS, and more. To login with 2FA enabled, simply enter the text message code or Google Authenticator code (when asked) after you log in with your username/password combination.

How to Enable
http://accounts.google.com/SmsAuthConfig
Google’s Documentation
https://support.google.com/accounts/answer/185839?hl=en&topic=1056283&ctx=topic

Facebook:

Facebook terms the features “login approvals” but it will work both through Google Authenticator or the “Code Geneartor” feature of the Facebook app. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://www.facebook.com/settings?tab=security
Facebook’s Documentation
https://www.facebook.com/help/loginapprovals

Twitter:

Twitter’s two factor authentication requires no third party application and simply sends a 6 digit code via text to your phone. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://twitter.com/settings/security
Twitter’s Documentation
https://blog.twitter.com/2013/getting-started-with-login-verification

Dropbox:

Dropbox 2-step authentication works via text message or Google authenticator and many others. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://www.dropbox.com/help/363/en

LinkedIn:

LinkedIn’s two factor authentication sends a 6 digit text message code to your phone. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://www.linkedin.com/settings/security-v2

Microsoft:

Microsoft’s 2FA is a 7-digit code sent via text message or email to your phone. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://account.live.com/Proofs/Manage

PayPal:

PayPal’s method is via a 6 digit code sent via sms/text message. PayPal also supports a hardware based 2FA option in its PayPal Security Key (more about this in part II). https://www.paypal.com/securitykey To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://www.paypal.com/us/cgi-bin/webscr?cmd=_security-key

Amazon AWS (Amazon Web Service):

Amazon cloud services allow you to supports Google Authenticator, Windows phone Authenticator app and well as a hardware based 2FA solution (more about this in the second installment of this post) http://onlinenoram.gemalto.com/ To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
http://aws.amazon.com/iam/details/mfa/

Turn on 2FA & Get a Password Managers

There you have it – it’s that simple! I recommend everyone take these very simple steps to improving the information security posture. In the second installment of this post I’ll detail some of the hardware 2FA options for many of the popular services listed above. Please do feel free to check out Part II of this blog series, Two Factor Authentication Virtual & Hardware MFA – Part II.  As always, your questions and comments are welcome. Stay secure out there!

8 thoughts on “Two Factor Authentication & Password Managers – Part I”

  1. What an insightful post with a ton of great information. The video was extremely helpful and all your links made it so easy to get what I needed. Very Nice, Thank you Joseph.

  2. Content-packed article with a heap of great info on how to protect yourself online! Password managers seem like a good idea – I’ll definitely look into those. Thanks so much for the fantastic post!

  3. Even though sometimes they can be a bit of a pain, now that I’ve started to use two-factor authentication systems, there is no going back for me. I value my security and safety online more than the convenience, so I’m more than happy to spend a little more time logging in, if that means that I could potentially avoid being hacked.

  4. I have been using the two factor authentication for both Google mail and Paypal so far, and I must say that I am feeling much more secure when using their services. I recently forgot my password for my new Google mail account, and whilst it wasn’t too much of a hassle to regain access to my account, for someone who didn’t have access to my mobile phone it would certainly prove challenging.

  5. Jack Woodhouse

    I am in favour of two factor authentication password managers, but I’m concerned for how I will get access to my accounts in the case that I lose my phone, or worse if it is stolen from me. Will this mean that the thief will have access to my accounts? How do I then go about regaining access to my accounts with the two factor authentication in place? Perhaps it is simply too secure.

    1. There are ways to deal with this issue and it shouldn’t deter you from using 2FA/MFA. Every service will detail how to recover access to your account should your phone be lost or stolen.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top