40 Two-Factor Authentication

Our usernames, email addresses and passwords are the keys to our digital lives and if they fall into the wrong hands, it can cost us dearly. To address this, many enterprises and government departments would issue staff with some type of physical security token which they would need to have with them in order to access their systems. This stops a criminal who has gleaned the correct username and password from a phishing scam from accessing the system, unless they also had the second item or factor. Often this is referred to as ‘something you know and something you have’ to gain access. This ‘something you have’ doesn’t have to be a physical device, it can be your fingerprint. If there is a choice of more than one addition security option, it often known as multi-factor authentication, rather than two-factor authentication (2FA). Where an additional code is sent via a SMS text or to another defined email address, this is commonly known as two-step verification, which is not as secure, but still an improvement.

Enabling two-factor authentication is one of the best defences against phishing and data breaches from hackers and is now offered for free with many systems as they use an authenticator app on your smartphone or send a time limited text message to your phone. But there are implications if you turn on 2FA which you need to be aware of, so it may not be suitable for everyone. If you are one of those people that have a track record of breaking or losing your phone, making your phone the one and only way to allow you to access your online accounts, isn’t probably a good idea, so consider options to add other devices or secondary email addresses. Also, many apps and programs will not work with 2FA as they are not designed to request the second part for authentication. The workaround is typically to use an app specific password, so that once generated and entered, you don’t get asked again on that device or computer. This does mean though that if like me you use a variety of devices, each one will need an app password, so it’s best not to turn on 2FA unless you have time to troubleshoot any issues. 

So, like a second heavy duty lock on your front door, the security benefits outweigh the additional hassle, especially as there are no additional costs. You also often have the option of clicking ‘don’t ask again for 30 days’ or something similar, so as not to be too intrusive, which is basically saying I trust this device. Most of the mainstream online services now offer free 2FA as part of their security and I have personally enabled it on for Amazon, Gmail, Outlook.com, Yahoo Mail, Microsoft Office 365, Zoho and my Apple ID. There are lots of online guides and videos that explain how to set up 2FA for a particular service, which I recommend you take a look at before turning anything on, as well as what happens if you lose a device and how you’d get access back to your account. Yes, 2FA can be nuisance, delaying you from getting what you want done, but like insurance, you are really glad you’ve got it when things go wrong.

Getting started guides

Turning on 2 step verification can be quite challenging, use these guides to help you enable it on common online services:

Amazon

https://www.amazon.co.uk/gp/help/customer/display.html?nodeId=202025410

Apple (AppleID & iCloud)

https://support.apple.com/en-gb/102660

Facebook

https://www.facebook.com/help/148233965247823?helpref=faq_content

Google (Google Account & Gmail)

https://www.google.com/landing/2step/

LinkedIn

https://www.linkedin.com/help/linkedin/answer/544/turning-two-step-verification-on-and-off

Microsoft (Outlook.com & Hotmail)

https://support.microsoft.com/en-gb/help/12408/microsoft-account-about-two-step-verification

PayPal

https://www.paypal.com/us/webapps/mpp/security/security-protections

Twitter

https://help.x.com/en/managing-your-account/two-factor-authentication

Yahoo

https://help.yahoo.com/kb/SLN5013.html

Moving to a new mobile handset

Having 2-step verification on your mobile makes the process of moving to a new device a lot more complicated and needs some careful consideration. SUPER IMPORTANT: Please do not trade in or wipe your mobile phone if you have any authenticator apps installed with active accounts. Your online phone backups do not include the accounts within an authenticator app, but just the app itself, if you restore from a backup, the authenticator app will be there, but it will be empty.

I recently upgraded my mobile phone, but delayed swapping handsets until I had a good block of free time. Basically, you need both handsets and a Wi-Fi connection, as one of the devices will not have an active SIM card, but will still need internet access. First the good news. Any 2-step verification you have in place via a SMS text message doesn’t need you to do anything, as this is linked to your SIM card rather than an app and will automatically work unless you change your mobile number. 

The 2-step verification via an authentication app will require you to locate the backup/transfer feature within the authenticator app (if there is one) on your old handset and following the instructions to migrate to a new handset. If there no transfer feature, you will need to go through each entry by visiting the online service and logging in and authenticating yourself with the app on your old handset. The next step is to set up the 2-step verification with the app on the new handset. Once this is done and verified, the entry in the old app may stop working if multiple authentication devices are not supported. You then repeat this until all your 2 step verification accounts have been transferred onto the new device. While you are transferring the verification accounts, in case you lose your device, it is a good idea to write down any ‘one time’ emergency authentication passwords if the service has this feature. Lastly, if you are giving your old device to someone else, trading it in, or getting rid of your device, do a factory reset to wipe all your data and remove any memory cards if there are any.

The free Authy authenticator app by Twilio (https://authy.com) overcomes these problems by allowing the option of multiple devices and computers to be setup and synchronised. So, if your mobile stops working or is stolen, you will still have access to your two-factor authentication codes, so long as you have already setup the additional device(s).

Choosing a smartphone authenticator app carries a major risk if the app in question is controlled by criminals, and recently one such Android authenticator app was taken down from the Google Play store with over 10,000 victims.  To avoid this potential problem, stick the offerings from established companies such as:

Authy

iOS: itunes.apple.com/us/app/authy/id494168017

Android: play.google.com/store/apps/details?id=com.authy.authy

Windows, Mac & Linux: authy.com/download/

Google Authenticator

iOS: apps.apple.com/us/app/google-authenticator/id388497605

Android: play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

Microsoft Authenticator

iOS & Android: www.microsoft.com/en-us/security/mobile-authenticator-app

LastPass Authenticator

iOS, Android & Windows: lastpass.com/auth/

Zoho OneAuth

iOS, Android & Mac: www.zoho.com/accounts/oneauth.html

There are many other good authenticator apps available, and this list is only small sample of the major players. If you do choose another authenticator app, please make sure the app publisher is a company you recognise. Also, when setting up multi-factor authentication on a smartphone authenticator app, it is important to understand that the unique QR code or configuration key used to set up the account protection can be used to setup apps on multiple devices, and each will generate the same login verification code, despite being on different devices. The QR code or configuration key could even be used to setup an authenticator app again at a later date if a copy is made, so it is crucial to make sure that no one else sees the code, especially if someone is talking you through the steps to add multi-factor authentication remotely via a screen sharing platform. The person guiding you could also add your account to their own device, the same applies if someone took a photo of the QR code or wrote down the configuration key.

So please, never share two-step or multi-factor authentication setup QR codes online or in an email or message. This can be easily done when trying to explain to someone how to setup multi-factor authentication by showing them the steps from your own accounts.

To check a Google account for 2-Step Verification status and which devices it recognises, visit: https://myaccount.google.com/u/1/security and click on the arrow next to ‘2-Step Verification’. This will display which devices receive Google prompts and which phone has the Google authenticator setup. Unfortunately, it will not tell you if any other devices (even if they are yours) were also setup with a third-party authenticator app.

Microsoft does things differently and depending on your settings may does not allow a third-party authenticator app. Visit https://myaccount.microsoft.com/ to check the 2-Step verification status of a Microsoft account and click on ‘Security info’ to see a list of all the device names with Microsoft Authenticator enabled.

If you see a device you do not recognise (check with immediate family you live with first and your IT support department if this is a company account) and if you are 100% sure it’s not your device or meant to be there, delete it. 

You can also delete an account from within an authenticator app on a mobile or tablet device, whether it is Google Authenticator, Microsoft Authenticator or even Authy. Please be very careful if you do this, because unless you have another alternative verification method setup, you could end up locking yourself out of an online service. Removing an account from an authenticator app doesn’t turn off 2FA for that service, so it’s best to double check the account details and status before you press delete.

I recently made the mistake of assuming an account in my Microsoft Authenticator app wasn’t needed anymore. I had created two accounts with the same email address (one as a personal account and one as a work account) and deleted what I thought was an unused personal account. Turned out that I deleted the work account, and I couldn’t get access again. Luckily, the next day I realised that I had the account on another device, so the moral here is make sure your mobile is not the only key you have.

2FA Fraudster Tricks

Please be very wary of anyone that telephones you claiming to be from your bank, internet or mobile provider or something similar, and then asks you to pass security by giving them the security code that has just been sent to your mobile.  They may start by saying there is a special limited offer or a problem with your account (the story will vary) but there is often a time pressure and either some extremely good news or potentially bad news. After confirming a few basic details like your email and mobile number, at which point they may even send you a text message. It will be from the bank or service provider confirming who you are speaking to or the offer or situation in question, and it will appear on your mobile grouped with any others you may have received. But in order to proceed you will be required to pass security so that you can be validated for data protection, GDPR, etc. 

In reality the caller is a fraudster, the mobile SMS text message is spoofed and not genuine (though your mobile cannot tell the difference and groups it with any legitimate messages) and they are not asking you to pass security. Instead, they are resetting your account credentials and need the 6-digit one-time password or PIN code that has been sent to your mobile. They may also ask for credit card details or bank details to setup a new direct debit. The fraudster may already have your account password and it is only the 2fa that is stopping them from gaining access, hence the phone call. If they get past the 2fa, they can change your password and take control of your account.

As a precaution, never give anyone a 2fa code if they have contacted you. In truth you have no real way of validating anyone that calls you, as they may information from a data breach or gleaned from your social media that may sound completely plausible. They may have information on recent purchases, or something else to put you at ease, confirming that they are who they say they are. Either way, ask for their name and department and hang up. Then find the number of the organisation from an online search, or for something like your bank, the number on the back of a debit card. Call and ask for the department and name you were given, if it turns out it was genuine, you will be transferred to them.

To help combat this type of fraud, some reset 2fa messages now have warnings stating that if you did not request the 2fa code yourself, do not share the number and contact customer services. If you have been tricked into giving a 2fa code, please contact the relevant customer services department as soon as possible. Do not be embarrassed, everyone can be fooled some of the time.

More recently, hackers have been bypassing both 2fa and the usual username and password requirements by targeting a user’s web browser in order to steal the active session cookies that are used to keep you logged in to an online service. Unfortunately, session cookies are fundamental to how web browsers work, and the additional convenience of selecting ‘Remember me’ when you log into a web service generates a cookie to hold that login authentication information. They are the digital equivalent of leaving the door on the latch, so no key is needed. If the criminals can find a way to get hold of these active session cookies through malware, phishing emails or directing you to malicious websites, they can use them on another computer and access the online account.

Index or next chapter -coming soon-