A client needs advice on how to secure their account with multi-factor authentication.
Edit me

Recommendations on Two-Factor Authentication

Advice on best solutions for two-factor authentication

Problem

A client needs to secure their account against hijacking and hasn’t enabled 2-factor authentication yet.

A high-risk client has set up SMS-based 2-factor authentication and we need to advise them to use a more reliable solution.


Solution

What Is 2-Factor Authentication

Abbreviated as 2FA, Two-Factor Authentication (also called 2-Step Verification) is a way to protect accounts beyond a password. When 2FA is enabled, a piece of information (the password or passphrase) and an object (a mobile device or a security key) are needed to log into an account. This means that, even if someone were to get hold of their target’s primary password, they could not access their account unless they also had their mobile phone or another secondary means of authentication.

We should warn the client that when enabling 2-factor authentication they should always prefer an alternative method over SMS-based 2FA, as this is more vulnerable to hijacking. For more information, we can link this article.

General Resources

Instructions for online services

What follows is a list of links with instructions on how to enable 2-factor authentication for the most popular online services:

OTP Apps

One Time Passwords (OTPs) are one-time use codes generated by an app. Google offers Google Authenticator as one such option, but there are free-and-open-source (FOSS) options like FreeOTP and andOTP (only for Android) as well.

Explain to the client that after generating the code in the app, they simply need to type it in the web form before the timer on the code runs out. Only the device with the authenticator app installed will be able to generate these codes, so as long as an attacker does not have the unlocked device at hand, they should be safe. This option does not require data or a phone connection.

Security Keys

A security key is a physical device you keep on your person. It’s a small plastic key-fob that you purchase and insert into your computer’s USB port when logging in. It is very difficult to compromise your account with this option because the key will have to be physically taken to do so. A key does not require data or a phone connection to be used successfully, but cannot be used on a mobile device as a USB port is required.

Warnings: Recovery Codes and App-Specific Passwords

When helping a client set up 2-factor authentication, we should warn them that if they lose their phone or security key, they might not be able to log into their account.

Some services offer solutions to this problem, like recovery codes. If this option is available on the service where 2-factor authentication is being enabled, we should guide the client through the process of downloading the recovery codes, or help them set up the recovery mechanism that is offered by the relevant platform.

We should also ask the client if they are using specific clients on that service, for example a mail client like Thunderbird or an XMPP client like Pidgin or Conversations. In such cases, depending on the service used, the client might need to generate an app-specific password that can only be used in their client.


Comments

If a client’s mail server is gmx.de, we can link these instructions in German for securing account access without 2FA.