grep jason_

Two Factors Are Better Than One

Another year comes to a close, and that marks one more year full of hacks, exploits, and identity theft. There are many things you can do to help keep your data safe, one of which is keeping your online accounts as locked down as you can. You should of course always have strong and secure passwords1, but there are additional things you can do to harden your security measures. One such item, is the use of 2-factor authentication when available. This type of authentication comes in several flavors. It can be text messages, a hardware token generator, software token generator, phone calls, tokens printed out and saved in your wallet, or even a secondary device. Because there are a vast number of ways to setup this type of system, it is common that people will simply skip the addition of 2-factor authentication all together. No matter the implementation, the idea is to have at least one additional piece of information that is needed aside from your password, in order to access the account or service.There is always a tradeoff between security and convenience, but this doesn’t mean you should be too far in either direction on the scale. I would always push to be as far towards the security side as you can manage on a day-to-day basis. Even one extra measure of security is better than nothing.When it comes to 2-factor authentication, we are starting to see more services support the feature and more options for users in terms of token generation. One of the first mainstream options that most people have seen is Google Authenticator. Despite the name, this token generator can be used with many more services beside Google’s own properties. It’s a pretty straightforward and simple app that works well.

General Gotchas of 2-Factor Systems

  • If you lose your phone that has your token generator, and you don’t have backup codes for each account, you will be locked out of those accounts and have to prove your identity to get back in. Remember, this is what you want the system to do for you.
  • If you wipe your phone for some reason, many token generators do not keep your data, so you will need to setup 2-factor on your accounts again. (similar to above)
  • You can only use a single device to generate tokens, so if you don’t have that device around, you are somewhat stuck.The authentication system I have been using lately is called Authy. This system runs on just about all the devices out there, and has one feature that differentiates it from all the other systems out there that I have seen. It allows you to sync your tokens across devices. So, let’s say you don’t have your phone with you, but you do have your iPad, you can simply open Authy on your iPad and get your token from there. There is also a computer client in the form of a Chrome Browser extension, so if you use Chrome, you are set there.

So far I have not had any major issues with Authy, but your mileage of course may vary. At the end of the day, it really doesn’t matter which app you use, just as long as you are using some kind of extended security on your accounts. Thing are only going to get worse out there in terms of account attacks, and you should do all you can to be proactively secure before something happens and you have to scramble to clean up the mess afterwards.More info about Authy

1: Please start using 1Password to create really strong passwords and manage them all for you.