• Home
• About
• Contact

Protecting Your Accounts With Two-Factor Authentication

I shall show you what two-factor authentication is, how to set it up, and how it adds another layer of defence to your online accounts. If you don't want to know the why, please skip straight to Getting Started. Otherwise, read on!

Understanding Two-Factor Authentication

Two-factor authentication (2FA hereafter) is a way to protect access to something by requiring two different kinds of information to do so. For online accounts, the first factor is likely the humble password (something only you know). This second factor, which we'll be adding, is most often tied to another account or application (something only you have). You'll be sent something called a one-time password (OTP hereafter) most of the time.

In the real world, a good example is an ATM. You prove it's truly you trying to withdraw cash with both the PIN only you know and the bank card only you have.

With 2FA switched on, a hacker stealing your password is no longer enough to break into your precious account; he must also obtain your especial second factor. I shan't lie, this extra step does slow down logging in, but the added safety is well worth it. At the very least, I strongly advise its use on all accounts that hold personal information (especially bank details).

Getting Started

In the next few sections will be about the 2FA methods you're likely to come across, from best to worst. For each, I'll go over how they work, their benefits & drawbacks, and how to set them up.

Authenticator Applications

Easily the most secure method for a normal person, being supported by every major social network. It takes a little setup, but it's worth it I say. For this you'll need a mobile app like the ones below. When you set this up, you'll be given a code called a seed from your online account's provider, called the issuer. This authenticator app uses both this seed and the current time to generate a six-character-long code on your device, called a time-based one time password (TOTP hereafter). The issuer does the same; if the TOTPs match, the login works. Lovely jubbly!

This method doesn't rely on another service like telephone or e-mail and, therefore, has no chance of interception; these TOTPs are generated by your device without even needing an internet connection. However, you must still take these cautions:

• Never give an account's seed to anyone, for if anyone else takes a hold of it, they too can generate these TOTPs
• If you lose your mobile device, then you might not be able to log in. Most services will give you backup codes in case this happens; please save any codes you are given

Your account issuer may tell you that you need a specific app like Authy or Google Authenticator. That's a lie; any app that uses the TOTP protocol will work. For a task this sensitive, I can only advise use of a free, open-source authenticator that supports password-protection and automated backups like the ones I list below.

You can take this one step even further with a hardware key. However, since I myself do not use one, I cannot endorse any particular key. If you are interested, all I can do is link you to the only keys with open-source firmware (Nitrokey and OnlyKey) as a starting point.

Aegis Authenticator

Aegis is my preferred choice on Android for its security and ease of backup. It can be downloaded from the Google Play Store or F-Droid (please ask if you want a guide on sideloading). Your storage (or vault, as it's called) will be ready to go as soon as you open the app.

To add a password to your vault:

• Tap the three-dots icon, Settings, and then Security
• Enable Encryption and enter your password, my guide on passwords may be useful here
• Write this password on a piece of paper, as you cannot open your vault without it
• When you're done, tap OK

Adding an account is most easily done with you logged in on a desktop web browser. Follow the steps below:

1. Find your account's 2FA settings, often under something like Security, and choose the option to add an authenticator app
2. In Aegis, tap the plus icon at the bottom-right and then either Scan a QR Code if given one or Enter Manually if not
3. Scan the QR code or type the seed into the Secret Key field
4. Fill in any missing details and then tap OK

To set up automated backups:

1. Tap the three-dot icon at the top-right, open Settings, and then Backups
2. Check Automatically back up the vault and then either Keep a number of versions or Single backup
3. Choose a file to save these backups in
4. Every now and then, copy your backup to another device. If you want to get advanced, you can set up a syncronised file with something like Syncthing to do this automatically

To make a single backup or export your vault:

1. Tap the three-dot icon at the top-right, open Settings, and then Import & Export
2. Tap Export. I'd choose .JSON for the format, for it can be encrypted with the password if you set one up earlier
3. Tap OK and choose the folder to keep it in

Ente Authenticator

If you're on iOS, Ente is also a good choice. You can't set as secure a password as Aegis, but it works as well in all other ways. Once again, your vault will be ready and waiting as soon as you open the app.

To add an account:

1. Find your account's 2FA settings, often under something like Security, and choose the option to add an authenticator app
2. In Ente, tap the plus icon and then either Scan a QR code if given one or Enter details manually if not
3. Scan the QR code or type the seed into the Secret Key field
4. Fill in any missing details and then tap Save

To make a single backup or export your vault:

1. Tap the three-line icon at the top left, Data and then Export codes
2. Choose either Encrypted or Plain text. I prefer the former. If your phone is secured with a PIN, you'll be asked to type it now
3. Tap Save and choose a folder to keep it in

E-Mail Authentication

When you try to log in, an OTP is sent to your chosen e-mail address that you'll need to type in. A convenient method to be sure, given you likely alreadY have one. This is less frequently used these days; Steam, GOG, and BlueSky are the only examples that come to mind, likely for the weaknesses below:

• If your e-mail account is hacked, then the hacker can intercept your OTPs or even reset the passwords of many associated accounts
• E-mail accounts are a common target for phishing, where they attempt to trick you into giving up login details by impersonating a legitimate service
• You must trust your e-mail provider to hold your information securely and not fall victim to leakage

As I said above, all you will need is an e-mail address. Ideally, this address should have neither your real name nor anything else that can tie it to you personally. I also advise keeping one address for talking with people and one for signing up for accounts. Though you can go much further than this if you wish, but that's an article for another day. Setup is easy; for each account you want to secure, follow these steps:

1. Find the Security section in your account settings
2. Type your e-mail address or check the option to enable e-mail verification
3. To test that it works, your inbox should either recieve a code or simply a notification that 2FA is switched on. Type in the code if necessary and you're good to go

Telephone Number Authentication

When you try to log in, the code will be sent to your chosen mobile phone number through either a text (SMS) message or an automated call. This is probably the most convenient method, but not without heavy downsides:

• If you chnge your number, then you must update it on every account one by one. Losing it altogether will make it much harder to get back in
• You must trust your account issuer to hold your number securely, for leakage may expose you to spam texts or calls
• If your number is shared elsewhere, this could be used to identify you as the account owner. Depending on your country, your number could also have information, such as your real name or location, attached to it
• Since SMS is not an encrypted protocol, your messages might be intercepted or otherwise leaked
• If a hacker knows your phone number as well as enough personal information, he can perform what's called a sim-swapping attack. This involves tricking your telecommunications provider, whilst pretending to be you, into issuing a new SIM with the number on it, effectively taking the number from you. See this article for more details

As such, I only suggest this method for the few services that force you to such as Pinterest, Twitch, VK, Signal, or Telegram. Even then, you should do so with a separate phone number than the one you talk to others with. This way you can change your main one with no worries. In the United Kingdom, you can order SIMs online or, ideally, with cash at your local supermarket, corner shop, or post office. Your mileage may vary by country.

As such, I can only suggest this method if the service gives you no choice and with these conditions: buy a pay-as-you-go SIM that requires no regular top-ups and only use the associated number for receiving 2FA codes. In the United Kingdom, you can order SIMs online or, ideally, with cash at your local supermarket, corner shop, or post office. Keeping a separate number means you can change your main one with no worries. This should be possible in the United States too. Your mileage may vary by country. Here's how to set it up:

1. Find the Security section in your account settings
2. Type in your phone number when requested
3. A code should be sent to your phone to test that it works. Type in the code and you're good to go

Best Practices

Some other top tips that don't fit anywhere else.

• Beware of phishing attacks. All of this security is for naught if you give it away. Watch out for inpersonal, poorly-formatted messages telling you to do something urgently and never give an OTP to anyone else
• If your account service lets you set a backup in case you lose your 2FA method, please do so forthwith. If you're given a set of backup codes, save these to a USB flash drive

And that's all there is. Good luck!

See Also

• Making Strong Passwords the Easy Way: My last security guide
• 2FA Directory: Great for checking what kinds of 2FA the services you use support