I never really figured out what I wanted to do with this blog, but I have decided that it’s going to be a place for me to write about whatever I feel is important to me at the moment. If you haven’t figured it out yet, I really value privacy and security. I believe that it is a basic human right and everyone should take it seriously. I’ve already written a post about the password manager that I use so I figured I’d kind of build on to that subject with which 2FA app I used and why. I’ll also explain what 2FA is and why it’s important.
What Is Two-Factor Authentication
Chance, what even is Two-Factor Authentication (2FA)? Well reader, let me tell you. Two-Factor Authentication is a way to add an extra level of security to your account. Think of it this way, when you use your debit or credit card to pay for something in a shop you first have to slide your card into the chip reader. After that you have to enter your pin. This is actually a form of 2FA. You probably didn’t even realize it since you are so used to doing it. The first factor is that you are physically in possession of the card. The second factor is that you know the correct pin for said card. Entering the pin verifies that you are the owner of the card and you have authorization to be using it. 2FA works the same way.
When you log-in using only your username and password, that’s a single factor. Most self-respecting institutions offer at least some sort of 2FA (I’m looking at you Spotify :rolls_eyes:), whether that is a code sent to your email address or to your phone via SMS, or an Authenticator app on your phone. This code add the second factor into the equation.
So, Why Should I Use 2FA
Well, it’s just an extra way to help keep your accounts safe online. Setting up 2FA adds an extra step in logging into your account, meaning that a hacker would need to have both your username and password, as well as your 2FA code sent to your device. This just makes it more inconvenient to compromise the account. It’s not a perfect solution, but it’s better than nothing.
Should I Use Email, SMS, or an Authenticator App
Now, I would recommend NEVER using the email option if you can avoid it. In my opinion it’s just way too easy for an attacker to get into email accounts. Too many people reuse passwords for multiple accounts so, at least to me, it’s not even worth sending the code to email.
Another option is to have the code sent to your phone via an SMS text message.
Now, I should note that these codes are are One-Time PINs, or OTP, meaning that as soon as they are used (or expire) they are no longer able to be used again. This makes them just a little bit more secure as they can not be reused.
This is better than having the code sent to your email, but only slightly. A hacker could potentially hijack the message or even call your carrier and get your number ported to a new SIM card that they own. I know that sounds kind of crazy, but it’s not really a risk I’m willing to take.
So, then I should use an app? Yeah, probably. This is my preferred method as the hacker would have to physically have my phone. I only have one authenticator app1 and it only lives on my phone. This makes it harder to hijack the code since it’s only living on my phone. Most websites will show you a QR code when setting up 2FA. You will scan the QR code with your preferred app and enter the generated OTP back on the website. There are a few popular 2FA/OTP apps. Google Authenticator and Authy seem to be the two big ones at the moment. I have used both in the past but have since moved to my current favorite, Aegis. I like Aegis because it’s open-source, it’s not owned by Google, it’s encrypted, and it’s simple to use. It even offers (for rooted devices) a way to import OTP codes from a different app. I was able to successfully import from the official Steam app but haven’t been able to get any others to work. I had to do some hackery to get my Twitch OTP code out of Authy and into Aegis but it wasn’t too hard.
My one complaint with Aegis is that it doesn’t have any baked in icons for any services or websites. Luckily github user krisu5 made a beautiful collection of icons to use.
For even another bit of added security you can pick up a hardware key. I personally have a Yubikey 5 that I use. It’s just another layer of security that I always have on me. I just plug it in to or tap it on whatever I’m trying to authenticate and I’m in. I like the physical aspect of it. That way if I lose my phone or forget to back up my Aegis library before resetting my phone (this has happened far too many times) I know I’ll still be able to get in. Unfortunately not all services are set up to accept a hardware key, but I make sure to use it on all the services that do allow it.
This Sounds Like A Lot of Work
I mean, it’s pretty easy to set up and it’s only gotten easier over the years. Most websites2 have made it pretty easy to setup 2FA on your account, and the minor inconvenience of having to copy and paste/type a short code after entering your password seems like a pretty fair trade off for an extra layer of security. I’m not here to walk you through how to set it up, if you’d like a tutorial almost all services have a support page to walk users through setting it up. I’m just here to tell you why I believe that everyone should be using it. Like I said, I’m just adding my thoughts on internet security and why I believe it’s so important.
Online security is important and we should be doing everything possible to make it as hard and annoying as possible to keep would-be attackers out of our accounts. A good way to think about it is the same as protecting your home. You wouldn’t want to leave the door unprotected, so you get a lock. This is like a password. If you don’t feel like this is enough then maybe you get a security system or a dog. Added layers of protection deter criminals from trying to get into your house. The same can be said for your online accounts.
If I’ve left anything out, or gotten any information wrong, feel free to contact me so that I may correct it, or add it, to this entry. I want to make sure that all my information is accurate and helpful for whoever may come across it. You can find me at the following places:
or leave a comment below. :D
Well, I try to only have one app. Some services require me to use their specific authenticator app. Stoopid Blizzard and Micro$oft. ↩︎
Seriously Spotify get it together. You haven’t addressed this since 2018 and even then it took 3 years for you to mark it as “in consideration”. I don’t think it’s too much to ask for 2FA in 2020. Also, this year your support team directed me to the very same issue from 2015 and then only saying that they would “pass on my feedback to the ‘relevant team’”. At this point it’s just absurd that this hasn’t been implemented. ↩︎