Pinterest Stumbleupon Whatsapp
Ads by Google

Do you want bullet-proof account security? I highly suggest enabling what’s called “two-factor What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More ” authentication. It’s sometimes referred to, perhaps inconveniently, as “two-step” verification, but it’s not exactly two steps. Two-factor authentication revolves around using a secondary authenticating element (I.E. a password generated by the Google Authenticator app, available on iOS, Android and Blackberry). In the event you don’t have access to the app, Google gives its users offline authentication codes they can write down on paper. Again, not everyone will have access to these while on the go, and so these individuals won’t receive access to their account – which could prove disastrous.

To remedy these issues, I suggest four courses of action – first, try Authy. Second, if you can’t install Authy (or don’t want to), install the Google Authenticator app on a variety of devices. third, I suggest (in addition to printing them out) storing your most important documents in an encrypted Dropbox volume. Fourth, try enabling two-factor (colloquially refrred to as “2FA”) on as many webapps as possible.

two factor enabled

Use Authy

Authy’s design takes the pain out of 2FA. It syncs your Google Authenticator accounts across all devices, using your cellular number as the identifying agent. To get started, download and install the application. The setup wizard will walk you through the rest. Here’s a brief installation and configuration walkthrough:

Simply provide the application with your cellular number and create an account. After registration (you provide your email address, as well). Request an activation code either through SMS or voice.

authy phone number authenticator

Ads by Google

Now that you have both an account and the app, prepare to add an account to the phone. Authy does this on a per webapp basis. Just go to the site you want to enable 2FA on and generate a QR code. Then use Authy’s built in scanner to zap the QR code, which pairs together Authy with the webapp. It’s a little tricky accessing Authy’s account adding feature. You need to swipe from the left side of the screen to the right while on Authy’s main screen.

authy double screen shot

The advantage of Authy is that it allows you to install the app on multiple devices. This is a fair amount easier for those seeking to install the authentication app to new devices. On the downside, in the era of the NSA, security may be not much more than an illusion.

It’s also important to note that Authy also offers the ability to backup “paper” 2FA backup codes. However, I don’t advocate using for this purpose.

Store Encrypted Backup Codes in Dropbox

While Authy can also store “paper” 2FA backup codes, whether or not you feel comfortable sharing and storing such passwords is entirely a personal choice. I advocate storing 2FA passwords in the cloud using encryption.

dropbox

Storing your files in the cloud requires two kinds of software: A cloud syncing application (such as Dropbox, which we’ve written about The Unofficial Guide To Dropbox The Unofficial Guide To Dropbox There's more to Dropbox than you might think: you can use it for file sharing, backing up your data, syncing files between computers and even remotely control your computer. Read More ) and an encryption software, such as the well-regarded TrueCrypt. To get started, try the following steps:

First, install both Dropbox and TrueCrypt (alternatively you can use TrueCrypt’s portable app, which doesn’t install itself). Here are the download links:

  • Dropbox: Available on Mac, Windows and Linux
  • TrueCrypt: Available on Mac, Windows and Linux

Second, create an encrypted volume in TrueCrypt. Just select File -> Create New Volume and then follow the guided setup wizard for creating a new encrypted container. This container file will hold your files. You can add content to this folder through TrueCrypt’s internal file management system.

truecrypt encryption

Install Google Authenticator on multiple devices

Authy obsoletes this method, except for users without cellphones. If you lack a cellular number, this may be the only option for getting an 2FA authentication app on multiple devices.

Enable Two-Step Verification

There’s actually more than two steps involved in two-step verification. First, you need to enable Two-Step Verification in Google’s configuration screen. Click “get started” and log in to begin.

two-factor authentication

After that, just click the box to enable two-step verification. With 2FA enabled, you now must install and activate the Google Authenticator app on your smartphones or tablets. After installing, you must activate the application from inside the Google Authenticator app. The app will require that you either scan a QR code or enter a code. You will need to choose the QR code option from within Google’s online interface for 2FA.

Now here comes the tricky part. You will need to simultaneously (or somewhat simultaneously) open the Authenticator app on all your mobile devices. Then you must choose to manually add an account, using the “Scan a barcode” option. Scan the on-screen QR code provided by Google’s 2FA site using all your devices at the same time. If it works, all your devices will generate the same 2FA code.

If it doesn’t, they will each generate a different 2FA code.

save settings

Use Authenticator on Other Products

Most users know this already, but for the uninitiated, the Authenticator application works for two-factor authentication on a wide variety of other webapps, such as Evernote, Dropbox and LinkedIn. Its growing acceptance makes installing multiple Authenticator apps and carrying around backup files (through cloud sync) a virtual necessity. I currently have Authenticator on all my Android devices. Lifehacker’s Whitson Gordon compiled an outstanding list of the major companies employing two-factor authentication. We’ve also published an excellent guide to enabling 2FA on various webapps Which Services Offer Two-Factor Authentication? Which Services Offer Two-Factor Authentication? Not long ago, Tina told you all about two-factor authentication, how it works, and why you should use it. In a nutshell, two-factor authentication (2FA), or two-step verification as it’s sometimes called, is an additional... Read More . Also, read our recent update on the services offering 2FA. Lock Down These Services Now With Two-Factor Authentication Lock Down These Services Now With Two-Factor Authentication Two-factor authentication is the smart way to protect your online accounts. Let's take a look at few of the services you can lock-down with better security. Read More

Conclusion

Two-factor authentication (referred to ironically as “two-step” verification) offers vastly improved account security at the expense of ease-of-use. To help mitigate potential difficulties caused by enabling two-factor authentication I recommend installing Authy (which is an all-in-one solution), storing your paper backup keys inside of an encrypted folder, installing the Authenticator app on as many devices as possible and enabling two-factor security on all available webapps. It’s currently the securest, although difficult, method of protecting your personal data.

  1. Sammy0506
    February 8, 2016 at 3:21 pm

    Why would ANYONE store ANY private data on the INET in ANY location? By definition, the fact that it's there makes it a single point of failure, and once a hacker gains access, you're screwed.

    I don't trust DROPBOX or any equivalent. I don't trust PSW MGR's either.

    Can someone tell me SOMETHING that will help me overcome this paranoia??

    • Kannon Yamada
      February 8, 2016 at 6:13 pm

      I'm assuming you're talking about Authy. In theory 2FA generators stored in Authy is less secure than not storing 2FA. To my knowledge, Authy isn't open source, either. Although I've read that they have an open source VPN tool.

      Even so, using Authy is more secure than not using 2FA.

  2. Andrew L
    April 19, 2014 at 4:20 am

    I wouldn't say bullet-proof with newer malware being able to infect multiple operating systems. Even if it was 100% bullet-proof you still have to worry about social engineering which can be a extremely dangerous tool. A million factor login with a billion word password can be destroyed by one phone call. But it will keep script kiddies & average hackers out.

    Example I was able to reset my AIM password with less than 15% correct information. I did not need to, but I was curious and bored.

    • Kannon Y
      April 19, 2014 at 6:49 pm

      With Heartbleed, it looks like 2FA isn't nearly as bullet-proof as we've been led to believe. Already it's been reported that 2FA keys were getting stolen and used to compromise accounts. I don't know how anecdotal these early reports are, but it's very scary.

      Your experiences with resetting your AIM password sounds fascinating. Would you be receptive to getting interviewed on this subject? The readership would definitely want to know whether or not their AIM accounts are secure.

  3. Gert Thomasen
    April 16, 2014 at 6:43 am

    TrueCrypt (in settings; "preserver timestamp of changed files") has the option to allow the timestamp of modified container files to be updated like any other changed files. With that unchecked, TrueCrypt containers file works fine with DropBox, Bittorrent Sync and timestamp sensitive backup routines.

  4. Mike Merritt
    April 10, 2014 at 3:08 pm

    Does a TrueCrypt volume update properly on Dropbox ? ... since the TC volume has a fixed size and creation date - which DropBox might be using to figure out if it's been changed/updated.

    I understand that BoxCrypt is a better choice.

    • Kannon Y
      April 10, 2014 at 9:47 pm

      That's a good question. Unfortunately, I have no idea. The volume that I have stored in my Dropbox folder works fine, but I haven't tried updating it. Perhaps it won't sync across all my devices?

      I'll give BoxCrypt (or some other DropBox optimized encryption system) a try. Thanks for the suggestion!

Leave a Reply

Your email address will not be published. Required fields are marked *