Two-Factor Authentication
I mentioned in a previous post that I purchased a new Android smartphone. Google made it very easy to transfer apps and data between two Pixel phones. I’ve also seen it work flawlessly between two non-Pixel Android phones. After transferring apps and data between phones, I spent a few hours today logging into each app to verify that there are no surprises. Fortunately, I practice good security hygiene by using a password manager to generate and store a unique password for each app. It was simple to copy/paste passwords between the password manager and the app. When I can, I sign into websites and apps with my Google account as it eliminates the need for a password altogether.
For the most part, the transfer was flawless except for one part. I use a two-factor authentication (2FA) app for some websites and the codes weren’t transferred. That was my worry not only with the phone transfer itself but with 2FA in general. What if I lose my phone? Will I be able to log into accounts that require a time-based one-time password (TOTP)? Fortunately, the answer is yes. Websites that require TOTP often provide a set of recovery codes that you can use in the event that you lose access to your 2FA app. It’s imperative that you keep those recovery codes in a secure place. If all else fails, you can always contact customer support.
Why Passwords Suck
Let’s face it, we access tens to hundreds of websites in our lifetime and each website requires a login and password. Humans are terrible at remembering strong passwords let alone unique passwords for tens to hundreds of websites. So what do we do? We reuse passwords. I’m guilty of that prior to using a password manager.
Computers are getting faster, internet speeds are increasing, and cyber criminals are becoming more sophisticated. Not every website that we frequent practices good security measures, so how safe do you feel about giving websites the same password that you use for your bank accounts? There are troves of compromised credentials for sale on the dark web that contain email addresses and passwords for hacked websites. Given that we know humans reuse passwords, once a hacker has your credentials for one website, they will attempt to use it on another website. This is why it’s important to use unique passwords across websites.
Banks are well aware of this, which is why many have started to implement some sort of two-factor authentication. Technology companies know this too, which is why they’re trying to move away from password-based authentication to biometric authentication. You can see this shift through the introduction of Windows Hello by Microsoft and Touch ID by Apple. Google added support for Passkey in Google Chrome, which allows you to use Touch ID for website authentication.
What Is Two-Factor Authentication?
Two-factor authentication (2FA) is simply a way for a website to verify the identity of a user through a second mechanism beyond just the password. This authentication mechanism is based on additional information that the user provided. This can be an email, an SMS message, one-time passwords, hardware keys, etc. You can think of it as providing two forms of ID. The idea is that a hacker will only have access to one form of ID, specifically the password, and not the other form of ID.
Weak Forms Of 2FA
The two most common forms of 2FA are the most convenient and the most vulnerable. Verification codes sent to an email address or a phone number are the weakest. Let’s start with email. If a person reuses the same password for their email and bank, then a hacker with a single credential will have access to both. Once they have access to your email, the hacker can easily receive email verification codes.
This is why it’s important to use a secure unique password for your email. I use a password manager to generate unique passwords for each website. But I don’t store my email password in the password manager in the event that the password manager is compromised. It may take time, but as long as I have access to my email I can always reset passwords for each website.
A verification code sent by SMS message is more secure than by email. The hacker would need physical access to the phone, which is harder to accomplish. But in reality, they don’t need physical access to your phone. They just need to convince your mobile carrier to transfer your phone number onto their SIM card. They do this by gathering any personal information that you may have shared publicly on the Internet or through social engineering to answer enough security questions that your mobile carrier believes it’s you on the other line. This is a technique known as SIM swapping. Once they hijack your phone number, they can receive verification codes on their phone.
Additionally, SMS messaging is inconvenient. If you don’t have access to your phone for valid reasons or your bank can’t send verification codes to a foreign mobile number while you’re traveling abroad, then you’re out of luck. In my experience, some US banks either will not accept a non-US number or can’t send short codes to Canadian phone numbers.
Strong Forms Of 2FA
The strongest form of 2FA is a hardware key. These are little USB keys that plug into your laptop or phone. Once the hardware key is registered with the website, you simply touch the hardware key when the website requests authentication. Common hardware keys include Yubico’s YubiKey and Google’s Titan Security Key. Google Chrome also has Passkey support so that you can use your Mac’s Touch ID. What’s the problem with hardware keys? First, they’re expensive. A single hardware key can cost US$50 and up. They’re usually small and therefore are easy to lose. If you’re using hardware keys, ideally you want to buy and register 2 hardware keys, using one as a backup stored in a secure location. Next, a hacker who is motivated can physically steal your hardware key. Heck, if you use Touch ID for your hardware key, the hacker can just steal your laptop. Finally, not many websites support hardware keys.
The next form of 2FA is a time-based one-time password (TOTP). This is where authenticator apps come into play. A website that supports TOTP will generate a QR code for you to scan into your authenticator app. Once scanned, the authenticator app will generate a 6-digit code every 30 seconds. The website will occasionally ask for a TOTP when logging in or performing a sensitive operation. Examples of authenticator apps include Google Authenticator, Microsoft Authenticator, Twilio Authy, Okta Verify, etc. and are free to download and use. The problem with authenticator apps is that some apps don’t have backups, so if you lose your phone then you’re out of luck. Some authenticator apps do have backup capability, but you have to worry about the security of the backup.
New Phone Who Dis?
When I started working for my current employer, I was forced to use 2FA. We use Okta for single sign-on (SSO) on various websites. To gain access to Okta, we need to use a TOTP so I used Okta Verify. Since then, I used Okta Verify for just about all TOTP 2FA. This became problematic when I changed phones because the codes weren’t transferred. It turns out that you can transfer between phones using Bluetooth, but I didn’t know it at the time. I ended up using Okta Verify on the old phone to authenticate and register Okta Verify on the new phone for 2FA using QR codes. This would have been problematic if I didn’t have access to my old phone.
Later that evening I thought to myself – there’s no reason why I need to use Okta Verify, I can use any authenticator app. So I downloaded Google Authenticator. One of the benefits of Google Autheticator is that the codes are backed up. If you want tighter security, you don’t have to back up codes to the cloud and can run Google Authenticator without a Google account. I trust the security practices of a few companies and Google is one of them, so I didn’t have concerns about backing up my 2FA codes. I went through the process of using Okta Verify on the new phone to authenticate and register Google Authenticator on the new phone for 2FA using QR codes.
Using Authenticator Apps To Replace Symantec VIP Access
There is one bank that requires me to use Symantec VIP Access for 2FA. This is a huge pain in the ass because it is yet another 2FA app. Fortunately, someone was able to reverse-engineer Symantec’s provisioning protocol. With additional effort, you can generate a QR code to scan into any 2FA authenticator app.
Follow the instructions here: https://gist.github.com/jarbro/ca7c9d3eebba1396d53b4a7228575948
From the instructions, you will not be able to run apt install because that’s an Linux-specific command. For Macs, you need to install homebrew, which I described in this post. Use Homebrew to install python3-pip and qrencode. I already had python3-pip installed, so I just ran:
1brew install qrencode
All of the other instructions are the same. After successfully adding and verifying that Google Authenticator can generate Symantec VIP Access TOTP, I ran the following commands to clean up artifacts on my Mac:
1pip3 uninstall python-vipaccess
2brew uninstall qrencode