Recommendations on Two-Factor Authentication
Advice on best solutions for two-factor authentication
Problem
A client needs to secure their account against hijacking and hasn’t enabled 2-factor authentication yet.
A high-risk client has set up SMS-based 2-factor authentication and we need to advise them to use a more reliable solution.
Solution
What Is 2-Factor Authentication
Abbreviated as 2FA, Two-Factor Authentication (also called 2-Step Verification) is a way to protect accounts beyond a password. When 2FA is enabled, a piece of information (the password or passphrase) and an object (a mobile device or a security key) are needed to log into an account. This means that, even if someone were to get hold of their target’s primary password, they could not access their account unless they also had their mobile phone or another secondary means of authentication.
We should warn the client that when enabling 2-factor authentication they should always prefer an alternative method over SMS-based 2FA, as this is more vulnerable to hijacking. For more information, we can link this article.
General Resources
Instructions for online services
What follows is a list of links with instructions on how to enable 2-factor authentication for the most popular online services:
- Google
- If the client is at high risk of account hijacking and does not need to download their email or to encrypt it with Thunderbird+Enigmail or another mail client, we can suggest that they enable the Google Advanced Protection Program and guide them through the steps.
- Also see Article #90: Two-Factor Authentication for Google Account
-
Twitter (only allows SMS-based 2FA)
-
Signal : even though this is not 2FA, the Signal Pin adds an extra layer of security when registering a new phone number on the app.
- Microsoft:
- Yahoo
-
Proton (formerly Protonmail)
- autistici.org
OTP Apps
One Time Passwords (OTPs) are one-time use codes generated by an app. Google offers Google Authenticator as one such option, but there are free-and-open-source (FOSS) options like FreeOTP and andOTP (only for Android) as well.
Explain to the client that after generating the code in the app, they simply need to type it in the web form before the timer on the code runs out. Only the device with the authenticator app installed will be able to generate these codes, so as long as an attacker does not have the unlocked device at hand, they should be safe. This option does not require data or a phone connection.
Security Keys
A security key is a physical device you keep on your person. It’s a small plastic key-fob that you purchase and insert into your computer’s USB port when logging in. It is very difficult to compromise your account with this option because the key will have to be physically taken to do so. A key does not require data or a phone connection to be used successfully, but cannot be used on a mobile device as a USB port is required.
Warnings: Recovery Codes and App-Specific Passwords
When helping a client set up 2-factor authentication, we should warn them that if they lose their phone or security key, they might not be able to log into their account.
Some services offer solutions to this problem, like recovery codes. If this option is available on the service where 2-factor authentication is being enabled, we should guide the client through the process of downloading the recovery codes, or help them set up the recovery mechanism that is offered by the relevant platform.
We should also ask the client if they are using specific clients on that service, for example a mail client like Thunderbird or an XMPP client like Pidgin or Conversations. In such cases, depending on the service used, the client might need to generate an app-specific password that can only be used in their client.
Comments
If a client’s mail server is gmx.de, we can link these instructions in German for securing account access without 2FA.