Two Factor Authentication Setup

Password based security in this day and age is becoming increasing problematic for two reasons:

  1. Botnets that continuously attempt to guess your passwords from a cloud of different IP addresses
  2. Keystroke logging malware installed on your own computers and phones by malicious individuals with physical or virtual access to the devices you use

But a fairly easy solution is to use a one time use password in addition to your password. This is immune to keystroke logging and/or unauthorised guessing of your existing password. In fact, using these enables one to relax somewhat safe in the knowledge that an easy-to-guess or short easy to type in password mite be an issue in future.

One Time Password Generators

Invented by Twitter, and ratified by Google, Facebook and even our countries RealMe NZ Government Backed Identity system, OAuth One Time Use passwords change every 30 seconds normally, and so even if you knew my login, password, and one of these 6 digit numbers below, you would only have 30 seconds to gain unauthorised access to my account should you wish you. Furthermore, they are time-based hashes of a secret which can't be reverse engineered just by knowing the time and the code easily, you would need to brute force that using a power super computer.

This is a real screenshot from my OTP Manager app on my Macbook:

OTP Manager

OTP Manager

In theory its perfectly safe for me to show this image without the blurring applied. You would need to know the exact time and date it was produced to make it worth brute forcing.

Getting Started

For starters for you need to put Google Authenticator onto your phone and OTP Manager onto your Macbook. These are two factor auth systems to stay safe online!

Google Authenticator App

Google Authenticator

Google Authenticator

Available for both iPhone and Android on the various Appstores, this app can even be used to login to Facebook's 2 factor authentication system which is based on OAuth. It's a must have install for someone starting out with two factor, that each time you see one of those QR code things to scan into your app, to store the image securely on cloud storage apps like Dropbox.

Put the app on all the devices you can get your hands on! It's better to have this loaded and ready before you lose your phone, so if you have a tablet also then it should also go onto that.

OTP Manager for Mac OS X

This free tool (OTP Manager) is the desktop equivalent of Google Authenticator. The trouble with it is the it can not scan the QR codes, you only get the following to input the data it requires:

http://tomachi.co/wp-content/uploads/2015/08/enter-otp-secret.png

Enter the OTP Secret Key Here

The issuer and username are likely not used by the hashing system and are more for the users to understand which pass is which. However the OTP Secret needs to be entered accurately.

Extracting the Secret from a QR Barcode

Web Based Online Tool

To decode the QR Code on this page you could visit an online tool to see something like this result. Looks out for a line in the resulting URL like secret=X1S2D3G this is the code for the secret that you can enter into OTP Manager if needed.

Mac OS X App

If you don't trust online decoders such as this one then you mite need to get an app for your computer or phone. I normally use the free Right QR app, which is able to scan your computers screen for QR Codes currently displayed and load them into the clipboard so you can easily paste them into OTP Manager in the right format.

For me I have to copy the data of the QR Code and then edit it manually somewhat.

Example QR Code

Example QR Code

Enabling the System on Various Websites

Warning: before enabling this I strongly suggest reviewing your secondary security contacts and ensuring you have your correct mobile phone number listed and verified in the account in question. This way, if something goes wrong and you lose your phone, you can still reset the account, by contacting your phone company and getting a replacement SIM in the same number as you used to have.

For convenience here are the URLs (subject to change over time I would think) of the major website's settings pages where you can enable 2 Factor Authentication for your own account:

 

Store the QR Code in your Cloud Storage

For security, the sites above normally only show your the barcode once and then force a re-generation for you to view it again. This can be frustrating and makes it hard to load new devices after you have first enabled 2 Step.

Since you are going to use these same barcode on many devices, I recommend saving the image of the barcode into Dropbox or similar cloud storage tool. If you are concerned with the security of those cloud storage tools then you can put it inside a Boxcryptor folder inside Dropbox for peace of mind like I do. This way you can easily get back up and running with a new computer, new phone, by visiting your cloud storage site to get the QR Codes again.

Most systems also allow reset via your mobile phone number if you do forget to save your barcodes.

For Your Website (Coming Soon)

If you run a website, say a WordPress site, you might be getting subjected to a brute force persistent attack being made by "Zombie" computers, normally internet users Windows machines that have a virus and are being remotely controlled by an attacked. See my page Hardening the Security of WordPress [in construction] for more details on mitigating this. And on the subject of keystroke logging, this normally requires root access to your laptop or mobile, not something that is trivial to get but still do-able. See my page Protecting Your Mac From Physical Break-ins [in construction] for more into on mitigations for this attack.

Final Thoughts

Frustrations

The first thing you will notice is how annoying and frustrating it is to sit down at a new machine and just login to your GMail / Facebook etc.

Bear in mind both Google and Facebook do cookie your machine once you have done a successful login, and they typically persist this cookie for about30 days, meaning that you won't have to pull out your phone (or OTP Manager app) again for another 3o days or however long the approval lasts for.

Use of incognito / private mode is even more problematic: since that persistent cookie will be wiped when you close the window!

Applications that do not support 2-Step

If you do this to your Google account, and you are a heavy user of Google software, you might suddenly get issues with apps like:

  • Outlook / Thunderbird / Email clients that only have space for login / password
  • Adwords Editor
  • Android OS itself and various Android apps

Luckily Google thought of this and have a backup feature called App Specific Passwords which are kinda neat in that you can label them, see last login times, and also revoke them later.