These days if you haven't heard of 2fa (2 factor authentication) then you are living under a rock. You've probably heard ad nauseum how 2fa has become the "standard" for preventing account takeover. I have spent more time than you can imagine helping people manage 2fa, and due to the nature of my job have over 100 2fa accounts, on various platforms. The key for 2fa is that the application you are using or logging into wants to validate 2 things. That you are sitting at the system you are trying to login to, and that you are you and not someone else. That is why the best place to have 2fa authenticators is on a device you personally own and control - a smart phone is the most common platform. Adding 2fa to your phone does not give the application any permissions beyond the ability to use the camera to scan your qr code, and send you notices. You can even set the camera part to "Ask every time" so that you have to approve it before it will scan a code. Adding a legitimate authenticator to your phone is prety risk free. That said be sure it's a L:EGITIMATE authenticator. For instance if you search for Microsoft Authenticator in the Apple store you will see an ADVERTISED RESULT that is not from Microsoft. Why Apple allows this is beyond me, but you should only use an authenticator from a major known and trusted advisor - not just any old one you download.
Let me give you some tips on 2fa and how best to use it, and pitfalls to watch out for:
- 2fa is not foolproof. You need to protect your account credentials, and the best way to do that is being VERY CAREFUL about links you click on and sites you visit. You need to be sure that wherever you are going cannot "steal" the authentication you already have with a site. Never approve a 2fa prompt if you're not actively trying to login to something. Never provide a code over the phone or text to anyone you don't know and trust personally. Ever. Never approve a login unless you are sitting in front of the computer being logged into yourself and know what you're doing. If in doubt reject the login. If someone inappropriately asks you for login information, consider hanging up on them.
- For most major apps the 2fa application you use is completely interchangeable. Does the sign in ask for google authenticator when you are setting it up? You can set it up in Microsoft Authenticator instead just as easily, and use that one. Or vice versa. Most authenticator apps are interchangeable. You should try to consolidate your 2fa sign-ins into ONE AUTHENTICATOR that way you can more easily manage the codes and find the right one when you need it. The basic procedure is - add a new account, and scan a qr code to initialize it, then approve a login code or prompt. The QR code will never arrive via email. Don't be fooled.
- That said - authenticator apps should be backed up to a cloud account. For Microsoft that is a live account or a business account. For google that's a gmail account, etc. The authenticator should be set up to back up your codes to the cloud. Be sure your app is linked and backup turned on.
- It's essential that you continue to be able to access the account your authenticator is backed up to, and you have another way of accessing that account BESIDES THE AUTHENTICATOR. Why? Well you might lose your phone. Or replace it. Or it gets stolen, Or need to reinitialize it or repair it. In all those cases you might lose access to your phone, and therefore your ability to sign in. If it's an account you use infrequently, be sure you have it documented somewhere safe and have any password recovery instructions etc. stored somewhere safe.
- Speaking of password recovery, when you initially set up your 2fa in many cases they will provide you with a recovery code or key. Most people just bypass that screen and ignore it. Don't do that. That code is essential if your 2fa is compromised or lost. Store it in a safe offline place. For instance printing it out and putting it in a file cabinet, in an encrypted file, or storing it in your password manager are all viable options.
- When you change phones you will want to overlap usage for a couple weeks. Why? Well the new phone - even if you restore the authenticator data from your Google or Microsoft account - might still need the old authenticator so you can revalidate account settings. And if your old phone is gone or reset - you can't do that. Not overlapping use will vastly complicate moving authentication to the new phone if you haven't fully moved out of your old one.
- Consider using your authenticator as your password manager on your phone and computer. If you do this your passwords will be backed up and travel with your account and cloud backups. The advantage of using authenticator rather than the browser is your passwords will be available to you no matter which browser you use.
- Sometime specific applications will manage their own 2fa. For instance LinkedIn uses the LinkedIn app as your 2fa. Many gaming systems like steam, battle net, and others do the same thing. So even if you've tried to consolidate your 2fa to one authenticator - you may unknowingly have others on your phone. It sends a notice to the linked in app on your phone to validate you are you before allowing you to login. This is important when - for instance - you change phones. You will want to login to LinkedIn at least once on your new phone - authenticating that login on your old phone - prior to wiping your old phone. I advise logging into ALL your accounts or apps on your new phone before wiping the old one.
- There are new items called "passkeys" with 2fa. This uses the 2fa to store an encrypted certificate used to authenticate you on a specific device. If you are logging into a specific site or app on a device it checks the device for a passkey and if it's present and you prove you are managing the phone (IE you approve the login or sign into your device actively with a fingerprint, or face) it just logs you in - no password or authentication required. This is similar to the Microsoft PUSH authentication where it just asks you to validate a number rather than asking for a login. Passkeys can be very handy, and are tied to the specific device you are logging in on. A passkey for your phone for instance is not going to authenticate a login on the computer. You must create a separate passkey on the computer, using normal 2fa, to take advantage of and login there. Again - creating your passkeys all in one authenticator app will make them be backed up. That's the good news. The bad news is that since passkeys are tied to devices - you will still need 2fa to login to a new device the first time.
- Many 2fa authentication methods allow you to type a code to prove you are on the screen trying to login. For instance it might put a number like 32 on the screen, then send your phone a notification asking you to login with a number. You must then type 32 into the authenticator and accept it. A few notes on these: The numbers time out. If you haven't entered it within a couple minutes it will invalidate the attempt. If you get a notification on your phone to put a number in and you're not trying to login - someone else is trying to login as you. Don't approve it. Consider chaning your password if you have one.
- In MS365 you can tweak your login policy so that these prompts show the application and location of someone logging in when they pop on your screen. If for instance it says you are using safari and are located in jakarta, it's a pretty safe bet that's a hacker trying to login to your account, unless you are on vacation in jakarta.and not using the (chome, edge, etc) browser you usually use. If other login methods have these capabilities it's good to turn them on.
- If you are in a corporate environment you can always lean on your IT support person or provider to reset your 2fa so you can create and login to it again should your phone be lost or you forgot to reinitialize your 2fa. Such is not the case for personal accounts like an MS Live account or a gmail account. They have very little support for recovering 2fa because if they did hackers would use it to steal credentials. They have no ability to support or help individual users of free accounts. So YOU NEED TO BE RESPONSIBLE for those codes, be able to recover them in an emergency, etc. Even a professional like myself cannot recover a live or gmail account without proper credentials or recovery codes.
2FA is a powerful, and important tool in your security book. It's essential you understand how it works, and that you protect your credentials using it, as well as the continuity of those credentials by maintaining them properly. Following these tips can help
