Previously on my two-factor authentication odyssey I abandoned the Authy TOTP authentication app in exasperation. On paper, Authy ought to be the best way:
- It avoids insecure SMS for the second factor.
- You don’t get your authentication code over the network at all.
- You can back up your tokens to a secure cloud server.
- No need for printed “backup codes”.
- Get the code from an Android, iOS or Windows device.
However, my experience was poor. In the immortal words, I think it was me, not Authy. But it’s put me off. And if it’s put me off it would no doubt put a lot of others off as well. On top of protecting my own accounts I’m keen to share advice that will help and encourage other people (both techie and non-techie) to do the same. So right now, Authy isn’t on my list. Although it should be.
Having decided against doing this the “best” way, I needed to check out what security improvements I could make. So I started by investigating Google Prompt. This is a bit like getting a code via SMS but instead you see a prompt on your nominated device (usually your smartphone). Instead of entering a code in the Google login dialogue, you respond to the prompt on your phone. If you accept the prompt, the login completes and if you reject the prompt (perhaps because it’s some evil person trying to access your account, and not you), the login is rejected.
It was easy to set up and it works. After initial setup I’ve not received any prompts because I trust all of my devices (phone, iPad and PC). If I ever need to log in to another device I’ll get a prompt. (Security enthusiasts will point out that trusting my devices reduces my security level because if someone steals one they’ll be able to log in to my account – in fact, they won’t even need to log in because the account is set to “stay signed in”, as is common for many of us. And it’s hard to argue with that – except that all my devices also require a login or PIN to access them. So, yeah, if you steal my phone and can crack the PIN then you’re in. But the chances are I’ll have wiped my Android phone before you can do that. Oh, but on the other hand, I’m not sure I’ve set up Find My iPad, so that’s something I need to look into…but I digress.)
Unlike text messages, Google prompts are encrypted so can’t be grabbed by “man in the middle” attacks. And the 2FA is tied to your device, not your phone number. That makes SIM-swap attacks harder to do. However, I’ve read that smartphone geeks can clone an entire phone, thus fooling another bit of hardware into thinking it’s your phone, thereby thwarting your 2FA. But, really, what are the chances? Overall, this form of 2FA increases security and avoids the biggest weakness of SMS.
I still need a backup second factor. I really, really don’t want to use those “printable backup codes”, because, well, who wants to have to carry a secret bit of paper around just in case your phone dies or is lost / stolen? With Google, the default backup method is – you guessed it – SMS. But what I’ve done is to use my spouse’s phone number instead of mine. After all, there’s no point using my number if my phone is dead / lost / stolen.
Even with that backup method in place, Google urges me to set up a third option – either a hardware security key or those wretched printable backup codes. I’m not convinced I need a third method because for me to be locked out of the account I’d have to have lost both my phone and my spouse’s phone. Which, thinking about it, could happen, I guess…but I really, really don’t want to use those “printable backup codes”, because, well, who wants to have to carry a secret bit of paper around? And if I want my mum or non-techie friend to set up 2FA on their account and I start talking about needing to keep backup codes securely somewhere as well as their login credentials, they’re just going to say no.
Thinking aloud here, I guess, in my case, I could keep the backup codes in my password manager. But then, in the mythical scenario where I need to log into my Gmail and I don’t have access to my phone or my spouse’s phone, what if I don’t have access to my password manager? But no – if I’m on a computer with web access I can access the password manager because it’s available online. (And thereby hangs another debate, I know…) So anyway, I could use backup codes. But my mum wouldn’t. And she doesn’t use a mobile that much either so even old-fashioned SMS 2FA would be out of the question for her.
Later…I’ve given in and generated the Google backup codes. They’re now safely stored in my password manager.
So, for this one account I’m happy it’s now more secure and that I won’t get locked out. Now I’ll move on to seeing what options I have for other accounts.
One thing is clear: This is not easy to do. I just hope service providers will continue innovating to make 2FA a lot simpler. That’s the only way it’s going to be widely adopted.