Two (/multi) Factor Authentication

My first experience of 2FA was a bad one. Apple kinda forced me into it and one dead iPhone 4 and no back-up later there’s a tonne of itunes music and apps that I’ve paid for that I cannot access.

Fast forward a couple of years and with the introduction of apps like Google Authenticator and I am using 2FA more and more - especially since I’ve had a couple of old e-mail addresses show up on haveibeenpwned.com.

These days I log into everything from Amazon, my Google account, my webmail and even FintechTalk with a quick trip to authenticator in order to pick up my one time code.

Was wondering if others here had adopted this practice… or still rumbling on with ‘Password1’ or ‘qwerty123’ for everything?

2 Likes

Password manager and MFA are two very good practices to pick up.

You don’t necessarily need MFA on every account, but important ones you should definitely consider it.

of the two above, to be honest, a password manager should be the first port of call for everyone. Doesn’t matter if its an online service like 1Password or something like keepass.

The simple fact is a unique password for every account is extremely secure, obviously its not possible for most people to remember unique passwords.

you could also use a notebook for storing passwords, old fashioned, but effective.

For MFA I have it applied to a few accounts, email being the main one as its essentially the gatekeeper to my online accounts.

For MFA TOTP is probably the best option for a lot of people its simple and easy to use (6 numbered code, changes every 30 seconds). I use Yubikeys for some things at work, and can be used on things like gmail as well.

The downside is losing your master password :confused: But really that’s just a case of ensuring you just follow a little good practice and keep your backup codes and recovery info in a secure place and keep it up to date. It doesn’t take long, but people are lazy.

That is the main issue for me (in regards to the technology its self), people are just inherently lazy and wont keep their backup codes safe or back up their data. it will inevitably bite some people int he ass.

1 Like

Yep. Unique, random passwords for every service (stored in Keepass), and 2FA wherever possible (using Authy).

I even make the availability of 2fa a factor in deciding between service providers.

The one thing that annoys me is the ux of 2fa apps: my list of 2fa accounts is really quite long now, and finding the right one in the app now takes a non trivial amount of time, especially since I often have multiple accounts with the same provider.

I wish 2fa apps offered better categorisation (“folders”) and/or icons.

Also, setting up a new android device is a pain with random passwords. It really annoys me!

2 Likes

For a master password that you need to remember it’s worth noting it doesn’t have to be random in the sense of a random string of characters. That’s just hard to remember, but a combination of words and characters that are set to a rememberable pattern will make you a rememberable password that is secure and hard to crack.

For example 59£Pink£Horse£Potatoes

You have uppercase lowercase number and special characters, it’s long enough and stupid so you’ll remember it but is difficult enough that it’s not easy to crack.

I do like a good three word password.

ThreeWordPassword is one of my favourites.

1 Like

I’m using 1Password for almost everything. My company secures everything work related using the Microsoft Authenticator app.

I really like 1Password because it means I don’t have to know any passwords except my master password and I use one time passwords on every site that support them. I also let it generate the password meaning all my logins are different.

J4ck&J1llW3ntUpTh3H1ll was always a favourite of mine (not used any more, hence posting it)

We’re currently rolling out MFA accross all our Microsoft customers after a recent advisory from Microsoft to drop regular password resets in favour or MFA

1 Like

I use 2FA with Google Authenticator on every service that supports it.

2 Likes

Funny you should say that - we’ve just started implementing MFA with our O365 accounts and, in turn, powers our VPN solution.

Regular password resets on corporate systems have been demonstrably dumb for a long time. Especially when IT managements insist on ever decreasing reset periods coupled with more and more complex passwords. There’s no wonder that a lot of the time if you want to know a colleagues passwords you should just start looking at post-it notes on their monitors!

It wouldn’t be as bad if those in charge could be arsed to use SSO on corporate systems. Having multiple sets of credentials is begging users to write things down.

2 Likes

The problem of course is that obvious character substitutions like this don’t make your password more resistable to brute force cracking.

Those are my pet hate. They make everyone’s life more miserable and make passwords less secure.

My master password is not random, that’s true. My master password and my Windows password are the only two passwords of mine that are not random, as I simply need to remember and type them.

1 Like

I’ve always maintained that if you make the password policy to complex or the requiremens to onerous people will simply write them down. The amount of people that email the helpdesk and ask us what their password is astounds me. I get that we all have to remembers lots of pins and passwords but if you cannot remember your work password you don’t get to make money, so figure it out, so I am all for password managers.

One of the things I really like about MFA on 0365 is you get the push notification to the phone and the Apple Watch. When I want clients to move to MFA I show them me logging in via the notification on the watch.

I couldn’t agree more but I think it came from starting somewhere… and remember when I say an old job I mean more than 10 years ago :slight_smile:

2 Likes

Just a word of warning to those with Google Authenticator (and other such apps) from past experience …

Has anyone who has been using this service experienced a change of mobile? My understanding is that the code is linked to the specific device, so you may still get into trouble if you lose your phone. The codes do not carry over when you open the app on a different device!

(unless someone knows a trick that I do not)

1 Like

This is why the standards from NIST have recently changed. Technology now easily allows for people to use passwords that they don’t have to change every 90 days according to a password complexity policy.

These old ways of doing things needed to go a long time ago.

Your backup codes are for this kind of situation (losing your phone).

You could use a service that syncs your OTP info, there’s nothing necessarily wrong with that.

If you change your phone you should make sure you set up your OTP info before wiping it from your old phone.

2 Likes

That’s why I use Authy. It backs up to “the cloud”, so you can restore it.

Fully compatible with Google authenticator as well.

1 Like

There are some horror stories out there. Not sure if I’ve shared this one before, but a local authority I used to work at (this is nearly 10 years ago so I would have hope they’ve been audited by now) had the domain admin password set to a single two-syllable word - all lower case, no numerals or other characters, and the password for the beautifully insecure VNC that was installed on every desktop was simply ‘master’. Genius.

2 Likes

I guess your alternative would be to print/store the activation qr code, which is slightly smoother than using reset codes.

Ditto, I don’t use 2FA nearly as much as some here but opted to use Authy as well when I do.

Same here - Authy is great. I have it on my laptop too so I don’t always have to reach for my phone.

I use lastpass authenticator as it syncs to the cloud. So it doesn’t matter if anything happens to my phone. I prefer the less secure text codes as it’s just more convenient.

For passwords I just use Google’s password manager. Not as secure obviously but someone would still need access to my Google account so I’m not too worried. Also it’s very convenient especially with certain apps like Netflix that just log you in straight away. Generates secure passwords as well.

I only use lastpass now to store secure notes.

Interesting, because I’m the exact opposite: I find waiting for those codes and dealing with the text messages far less convenient than Authy :slight_smile: