A lot of people get confused about security, especially two-factor authentication aka 2FA and more specifically, ‘authenticator’ apps of which the most popular is Google Authenticator. Then there's email, sms and other 2FA methods to consider. Whilst it may seem boring, and it certainly ain't sexy, it is important to know about 2FA security, especially if you are earning an online income.
Did you know that 2FA can protect more than 90% of attacks on accounts? In 2019, and Microsoft claimed that Multi-Factor Authentication (MFA) , of which 2FA is included, could prevent 99.9%. Furthermore, a research from Google around the same time stated similar figures depending on the security method and attack methods used.
Here we’ll dig into what it is, the options available and how to setup Google Authenticator.
Would you like to turn on Two-Factor Authentication (2FA)?
You may have seen this question popping up across many crypto and non-crypto websites you use.
This article aims to give you more understanding about what Two-Factor Authentication (2FA) is and why you should activate it, but more specifically, we will be guiding you through the authenticator app of choice – Google Authenticator App.
Authentication: an introduction
There are two basic forms of consumer authentication, single factor (SFA) and two factor aka 2FA (er, is that a pun?). 2FA is a form of multi-factor authentication (MFA).
Many sites, especially those related to finance, now force you to have 2FA. Some limit activity based on 2FA eg. on some exchanges you can deposit &/or trade without 2FA, but if you want to withdraw, 2FA needs to be setup.
Requirements for enabling 2FA vary from platform-to-platform.
Single Factor Authentication (SFA)
Essentially this is just a standard account – a Username/Email + password. A single piece of information is required to unlock (login to) the account; the password.
Multi-Factor Authentication (MFA)
This is where there are multiple methods of authentication used, not just the password. 2FA is a form of MFA, but is limited to 2 methods. And it’s the most common in consumer use, so that’s what we’ll talk about.
Two-Factor Authentication (2FA)
This is the process of having a second method of authentication. The modern standard for this additional method is a dynamic six-digit code. This can be generated by another device by various methods e.g. a hardware device, sms, email or an authenticator app.
Why should I turn Two-Factor Authentication on?
With cyber crime becoming much more advanced and prevalent over the years, a new secondary security process has become the popular choice of adding an extra layer of protection to your account, your information and your finances.
2FA has been shown to improve security by more than 90% and prevent accounts being compromised and funds or data stolen.
It means that even if someone finds out your password, they will still need access to your mobile phone (or email account depending on the method) to be able to generate the security code and steal your information.
The above extract from Verizon's 2022 Data Breach Investigations Report (DBIR) report shows that 80% of breaches are attributed to stolen credentials ie. login details.
2FA basics: how it works
Understand the ‘why’ or concept and you will more easily understand the reason some MFA/2FA methods are better than others. With 2FA, the user must present 2 pieces of information to get access to the account;
- Something only you know (ie. your username & password)
- Something only you have (ie. the 2FA code)
Those are the most commonly used for consumer 2FA.
Additional MFA methods use the ‘Something you are‘ concept; the likes of biometrics (finger print, eye, voice) and/or ‘Somewhere you are' ie. location.
Image Source: Biometric technology in banking institutions: ‘The customers’ perspectives’, ResearchGate.
Two Factor Authentication Methods
There are several methods of delivering 2FA. Some are better than others…
2FA via Email
The most popular early method of 2FA for login was via email. It’s still used by some platforms today, however it is deemed the least reliable and secure. You attempt to login and you are asked to check your email and input the code that has been emailed to you to proceed.
2FA via SMS
Similar to email, except the message is sent via text to a mobile phone. Once you log in using your password, the authenticator will send you an SMS message with a code that you have to enter in the website before it logs you in!. This works great and is very convenient, however….it can be slow and unreliable; it's dependent on your phone network connection and you may accidentally delete your text. It's also debatable if SMS is any better than email for 2FA.
2FA via Authenticator apps
There are several 2FA apps you can install on your mobile device that automatically generate a new verification code every 30 seconds specific to your login. Note that some people/organisations refer to these as a “Mobile Passcode”.
Some businesses have their own versions specific to their company.
You just enter the code that appears on the app and it grants access to your account. The setup is a little more involved than the other methods, however the security is much better and it is more convenient once setup.
2FA: other methods
Other methods include biometrics, location and hardware devices. However, these are more often used as a part of MFA where there are more than two methods used; For 2FA, Email, SMS and Authenticator app are currently the most commonly used.
In this article we will be guiding you through our favourite Authenticator App – Google Authenticator
Why is an Authenticator app better than SMS or Email 2FA?
The Google Authenticator app refreshes codes every 30 seconds and is much more difficult to be hacked or accessed than sms or email. Unlike Authenticator, hackers can use sim-swaps, listening in and re-routting techniques if they really want access to your SMS.
And it happens to the best of us; in 2019 Twitter’s founder and CEO, Jack Doresy, got hit with a ‘SIM swap’ scam that took over his Twitter account before being shut down.
Additionally, 2FA sent via sms or email are usually active for much longer than the 30 seconds permitted by Google Authenticator. There are various 2FA authenticator apps on the market all of which work in a similar way. We’ll take a look at the most popular; Google Authenticator.
Despited Authenticator apps (referred to above as ‘Mobile Passcode') being far superior, SMS and Email 2FA are still the most widely used according to Duo's research.
Your overall security & other systems play a part!
Going back to the ‘2FA basics’ and now you understand the concepts behind 2FA or MFA, take time to assess your situation, especially for important accounts.
Is there a way someone could get access to the login AND the 2FA element?
- An email hack is a good example — if someone hacks your email, they could potentially get your username and password via a password reset. If 2FA is also via email, then they can login an authenticate.
- Phones — most apps use email for registration. If your email is on your phone and your phone is stolen, could someone get your login and the 2FA (Authenticator, sms, or email?).
TIP: One of the best things you can do is have a separate email for your logins. Keep that email online and never on your phone or personal email eg. create an email account that is used only for your accounts and don’t put it on your phone.
Consider using an encrypted email service such as ProtonMail.
Setting up Google Authenticator
Here we will guide you through the process of setting up google authenticator to generate your 2FA security codes.
1/ Download the Google Authenticator app
Make sure you go to the official app store on your device and search for ‘Google Authenticator’ it has this icon
2/ Turn on two-factor authentication
In the website where you are wanting to secure your details, there should be a setting to turn on two-factor authentication (2FA) to use with an authenticator app. This may be found in your profile area or possibly a security area within the website. When you find it, click ‘Turn on’ or ‘Enable’.
The site should now display a QR code image and an activation key (a sequence of characters). Keep this QR image on screen as you require it for the next steps.
3/ Save the 2FA activation key and/or the QR image
When you turn on two-factor authentication to use with an app, you will only see the QR image/authentication key ONCE!
Therefore you must save the key and/or the QR code somewhere safe. This is your own personal choice as to where you keep these safe.
i.e. we’d recommend you do NOT take a screenshot and save it in your email or on your desktop!!! etc. There are many discussions about ‘best practice’ and it’s too big a topic to discuss here. As with most things, there are pros/cons with all options for storing keys.
4/ Add your authentication to the app
Open Google Authenticator – click the ‘+’ button in the bottom right hand corner, which gives you the option to either Scan a QR code or Enter a setup key:
If you choose – ‘Scan a QR code', it will open up your camera, so when you point your camera at the QR image, it will automatically add it to the app, NB it will automatically set the ‘Account’ name so you know what website the code is for, however you can change this later.
If you choose – ‘Enter a setup key', it will allow you to add an ‘Account’ name which you can call anything you want to remind you what it is for. You then paste in the activation key provided from your website 2FA options. This will then add it to the app.
NB. This method of authentication is becoming more and more popular across many sites, so make sure you name each code something familiar, so you can recognise the code you want to use.
TIP: For additional security, you could have your own ‘code’ for the naming 😉
How to use Google Authenticator 2FA
OK, so you’re all set up and now you need to login…
1/ Log in as usual with your username/email and password. Assuming an Authenticator 2FA is set up, you will then be asked for the 6 digit 2FA security code.
2/ Open up Google Authenticator app. Look for the website you have set up (the one you are logging into!) and copy the 6 digit code underneath the website name.
TIP: you can automatically copy the code on your mobile device by just clicking on the code.
3/ Back to the website you are trying to access, paste in the 6 digit code you have just copied.
Note that the code changes every 30 seconds, in the last 5 seconds of the 30 seconds, the code will flash red. If you do not copy and paste the code quickly enough, just try again when a new code appears in blue.
If there’s an option to setup 2FA we strongly recommend you activate it. Whilst anything (eg email/sms) is better than nothing, use an Authenticator app for the most security and ensure you store your code/QR securely.
Also think about how 2FA actually works and where your vulnerabilities may lay…
Is there a method that a hacker could get access to both pieces of 2FA information?
Should you create another email used solely for accounts?
I’ll let you decide!