Can Two-Step Verification Be Less Irritating? Four Secret Hacks Guaranteed to Improve Security
Do you want bullet-proof account security? I highly suggest enabling what’s called “two-factor ” authentication. It’s sometimes referred to, perhaps inconveniently, as “two-step” verification, but it’s not exactly two steps. Two-factor authentication revolves around using a secondary authenticating element (I.E. a password generated by the Google Authenticator app, available on iOS, Android and Blackberry). In the event you don’t have access to the app, Google gives its users offline authentication codes they can write down on paper. Again, not everyone will have access to these while on the go, and so these individuals won’t receive access to their account – which could prove disastrous.
To remedy these issues, I suggest four courses of action – first, try Authy. Second, if you can’t install Authy (or don’t want to), install the Google Authenticator app on a variety of devices. third, I suggest (in addition to printing them out) storing your most important documents in an encrypted Dropbox volume. Fourth, try enabling two-factor (colloquially refrred to as “2FA”) on as many webapps as possible.
Authy’s design takes the pain out of 2FA. It syncs your Google Authenticator accounts across all devices, using your cellular number as the identifying agent. To get started, download and install the application. The setup wizard will walk you through the rest. Here’s a brief installation and configuration walkthrough:
Simply provide the application with your cellular number and create an account. After registration (you provide your email address, as well). Request an activation code either through SMS or voice.
Now that you have both an account and the app, prepare to add an account to the phone. Authy does this on a per webapp basis. Just go to the site you want to enable 2FA on and generate a QR code. Then use Authy’s built in scanner to zap the QR code, which pairs together Authy with the webapp. It’s a little tricky accessing Authy’s account adding feature. You need to swipe from the left side of the screen to the right while on Authy’s main screen.
The advantage of Authy is that it allows you to install the app on multiple devices. This is a fair amount easier for those seeking to install the authentication app to new devices. On the downside, in the era of the NSA, security may be not much more than an illusion.
It’s also important to note that Authy also offers the ability to backup “paper” 2FA backup codes. However, I don’t advocate using for this purpose.
Store Encrypted Backup Codes in Dropbox
While Authy can also store “paper” 2FA backup codes, whether or not you feel comfortable sharing and storing such passwords is entirely a personal choice. I advocate storing 2FA passwords in the cloud using encryption.
Storing your files in the cloud requires two kinds of software: A cloud syncing application (such as Dropbox, which we’ve written about ) and an encryption software, such as the well-regarded TrueCrypt. To get started, try the following steps:
First, install both Dropbox and TrueCrypt (alternatively you can use TrueCrypt’s portable app, which doesn’t install itself). Here are the download links:
- Dropbox: Available on Mac, Windows and Linux
- TrueCrypt: Available on Mac, Windows and Linux
Second, create an encrypted volume in TrueCrypt. Just select File -> Create New Volume and then follow the guided setup wizard for creating a new encrypted container. This container file will hold your files. You can add content to this folder through TrueCrypt’s internal file management system.
Install Google Authenticator on multiple devices
Authy obsoletes this method, except for users without cellphones. If you lack a cellular number, this may be the only option for getting an 2FA authentication app on multiple devices.
Enable Two-Step Verification
There’s actually more than two steps involved in two-step verification. First, you need to enable Two-Step Verification in Google’s configuration screen. Click “get started” and log in to begin.
After that, just click the box to enable two-step verification. With 2FA enabled, you now must install and activate the Google Authenticator app on your smartphones or tablets. After installing, you must activate the application from inside the Google Authenticator app. The app will require that you either scan a QR code or enter a code. You will need to choose the QR code option from within Google’s online interface for 2FA.
Now here comes the tricky part. You will need to simultaneously (or somewhat simultaneously) open the Authenticator app on all your mobile devices. Then you must choose to manually add an account, using the “Scan a barcode” option. Scan the on-screen QR code provided by Google’s 2FA site using all your devices at the same time. If it works, all your devices will generate the same 2FA code.
If it doesn’t, they will each generate a different 2FA code.
Use Authenticator on Other Products
Most users know this already, but for the uninitiated, the Authenticator application works for two-factor authentication on a wide variety of other webapps, such as Evernote, Dropbox and LinkedIn. Its growing acceptance makes installing multiple Authenticator apps and carrying around backup files (through cloud sync) a virtual necessity. I currently have Authenticator on all my Android devices. Lifehacker’s Whitson Gordon compiled an outstanding list of the major companies employing two-factor authentication. We’ve also published an excellent guide to enabling 2FA on various webapps . Also, read our recent update on the services offering 2FA.
Two-factor authentication (referred to ironically as “two-step” verification) offers vastly improved account security at the expense of ease-of-use. To help mitigate potential difficulties caused by enabling two-factor authentication I recommend installing Authy (which is an all-in-one solution), storing your paper backup keys inside of an encrypted folder, installing the Authenticator app on as many devices as possible and enabling two-factor security on all available webapps. It’s currently the securest, although difficult, method of protecting your personal data.