Two Factor Authentication & Password Managers – Part I

In my Boston based international IT consulting practice — I get lots of questions from customers on information security issues of the day. A most common issue I hear is about password security and even more frequently – two factor authentication. In this first installment on two factor authentication I will detail the basics of setting up two factor authentication on major websites & services you use every day.

Wikipedia defines two-factor authentication as:
Multi-factor authentication (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inference factor (“something only the user is”). Google describes it well in the video below:

)

In the case of the websites, social media and cloud services we use daily – two factor authentication refers to authentication that goes beyond a simple password. It requires something you know (your password) and something you have (in this case your smart phone or related application on it). This makes it much more difficult for a cybercriminal to steal your identity, damage your financial livelyhood, brand or identity with your username/password alone.

Note: There is no such thing as ironclad impenetrable security solutions. There will always be risks and weaknesses that the cybercriminal will exploit. In the case of two factor authentication a cybercriminal can use technical means like a man in the middle attack or trojan application on your phone to capture your other required authentication information. My point is to a determined attacker – little will stop their attempts. Either way, TFA is still a good step forward and I recommend embracing it immediately along side password managers.

Why Password Managers

Have you ever been in an office and walked up to someone’s desk only to see a sticky note with all of their usernames and passwords on the top of their monitor? This makes me cringe. This simple example shows what is wrong with traditional passwords. They are hard to remember and annoying to manage. Why not get an application that would make it far easier to manage this process? That is where password managers come in. They allow you to save all of your passwords in a encrypted password safe that is much more secure than that sticky note on your desk. Additionally, most of these applications will allow you generate more secure passwords for the sites & service you use. Like I always say, these are no panacea but a good step in the right direction when coupled with 2 factor authentication.

Password Managers

RoboForm – Windows, OSX, Mobile http://www.roboform.com/
LastPass – Windows, OSX, Mobile http://lastpass.com/
Norton Identity Safe – Windows, OSX, Mobile https://identitysafe.norton.com/
Dashlane – Windows, OSX, Mobile https://www.dashlane.com/
KeePassX – Open Source – Windows, OSX, Linux, Mobile, etc. http://keepass.info/
KeePass – Open Source – Windows, OSX, Linux, Mobile, etc. http://www.keepassx.org/
Password Safe – Open Source – Windows XP, Vista, 7 and 8 only. http://passwordsafe.sourceforge.net/

Turning on Two Factor Authentication

As I said above, combining two factor authentication and a password manager is a powerful step forward from the conventional passwords. You should turn on two factor authentication on all the online services you currently use. Below are links to instructions to turning on two factor authentication in the most common services.

Apple:

Apple’s form of 2FA is a 4-digit text message code sent to your phone. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://appleid.apple.com/
Apple’s Documentation
https://support.apple.com/kb/HT5570

Google/Gmail:

Google two factor authentication, or as Google calls it “2-Step Verification” can work both over SMS (Text message) or with Google Authenticator app. This is available for Android, iOS, and more. To login with 2FA enabled, simply enter the text message code or Google Authenticator code (when asked) after you log in with your username/password combination.

How to Enable
http://accounts.google.com/SmsAuthConfig
Google’s Documentation
https://support.google.com/accounts/answer/185839?hl=en&topic=1056283&ctx=topic

Facebook:

Facebook terms the features “login approvals” but it will work both through Google Authenticator or the “Code Geneartor” feature of the Facebook app. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://www.facebook.com/settings?tab=security
Facebook’s Documentation
https://www.facebook.com/note.php?note_id=10150172618258920

Twitter:

Twitter’s two factor authentication requires no third party application and simply sends a 6 digit code via text to your phone. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://twitter.com/settings/security
Twitter’s Documentation
https://blog.twitter.com/2013/getting-started-with-login-verification

Dropbox:

Dropbox 2-step authentication works via text message or Google authenticator and many others. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://www.dropbox.com/help/363/en

LinkedIn:

LinkedIn’s two factor authentication sends a 6 digit text message code to your phone. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://www.linkedin.com/settings/security-v2

Microsoft:

Microsoft’s 2FA is a 7-digit code sent via text message or email to your phone. To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://account.live.com/Proofs/Manage

PayPal:

PayPal’s method is via a 6 digit code sent via sms/text message. PayPal also supports a hardware based 2FA option in its PayPal Security Key (more about this in part II). https://www.paypal.com/securitykey To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
https://www.paypal.com/us/cgi-bin/webscr?cmd=_security-key

Amazon AWS (Amazon Web Service):

Amazon cloud services allow you to supports Google Authenticator, Windows phone Authenticator app and well as a hardware based 2FA solution (more about this in the second installment of this post) http://onlinenoram.gemalto.com/ To login with 2FA enabled, simply enter the text message code (when asked) after you log in with your username/password combination.

How to Enable
http://aws.amazon.com/iam/details/mfa/

Turn on 2FA & Get a Password Managers

There you have it – it’s that simple! I recommend everyone take these very simple steps to improving the information security posture. In the second installment of this post I’ll detail some of the hardware 2FA options for many of the popular services listed above. Please do feel free to check out Part II of this blog series, Two Factor Authentication Virtual & Hardware MFA – Part II.  As always, your questions and comments are welcome. Stay secure out there!

Joseph P. Guarino has a long history of producing business results with the application of information technology. Joseph's expertise span over 15 years in the private sector at leading technology firms and consulting organization. With Evolutionary IT, he saw a market need to bring his transformative knowledge and expertise to firms in the New England area and worldwide. Joseph is driven by a strong desire to see customer's thrive with the best business solutions. Evolutionary IT evolved out of this desire to bring a new level of quality IT solutions, align them with business goals and give customer's a competitive edge.
Posted in Information SecurityTagged ,  |  8 Comments

8 Responses to "Two Factor Authentication & Password Managers – Part I"

Leave a reply