Tidy '24: Security Week 2 - Two-Factor Authentication

Welcome to Tidy Tuesday!

I hope everyone is staying cool enough. I spent this past holiday weekend (in the US) with my brother's family in North Carolina, and it was insanely hot. Friday actually set a record. Thank goodness for air-conditioning and community pools.

We're now in Week 2 of Security Month in Tidy '24. Last week, I discussed the benefits of using a password manager. This week's topic is closely related and equally important.

Security Week 2: Two-Factor Authentication

After my recommendation last week, I hope all of you who still need to start using a password manager have considered making the switch. It takes a bit to get used to it, but it's so much more convenient (and secure!) once you familiarize yourself with the process. This week, we're continuing down the path of general account security with a simple choice that changes a disaster into a mere hiccup: use two-factor authentication.

You'll see this referred to in a variety of ways:

• 2FA (shorthand for 2-Factor Authentication)
• MFA (shorthand for the more generic Multi-Factor Authentication)
• TOTP or just OTP (Time-based One-Time Password)
• Authenticator app
• Two-step verification
• Security key (such as YubiKey)

These are not all exactly the same, but they all involve at least one extra step beyond just your password that you must go through to access your accounts. Your password is the first factor, and the extra step is the second factor. Without both, you can't log in. It's like a modern, nerdy version of nuclear launch control panels that require two key switches turned at the same time.

The premise is that even in the unlikely event that your password is compromised, it is astronomically improbable that the second factor would be compromised simultaneously by the same person, so your account remains safe. Only you have reliable access to both keys.

There are a few common mechanisms that provide this second factor of identification:

1. Text message (SMS): this is when the service sends you a 6-digit or 8-digit code in a text message to your phone when you log in. This requires only what most people already have (a text-capable phone). However, there are also ways to compromise phones, so this method falls short for the more paranoid among us.
2. Authenticator app: this method uses either a dedicated app or a built-in feature in a password manager like 1Password to generate random 6-digit or 8-digit codes that change at regular intervals, usually 30 seconds. The account provider shares the "seed" value during 2FA setup, usually with a QR code that you scan with your phone; this way, both sides can calculate the correct code at the right time. Someone attempting to access your account with this knowledge must be able to guess a 1-in-a-million (or worse) combination before the code rotates in half a minute. This is the most common method used today, and I highly recommend it—especially if you use a password manager that includes this feature.
3. Security key: this generally involves a physical device, often a small USB key like a YubiKey, which you must plug in and/or physically touch to authenticate yourself during a login process. The only way to compromise one of these is to steal it from your person, but if that happens, you can also de-authorize that key everywhere you had used it before, making it useless. The key itself doesn't store anything about your accounts. This is the most secure option of the three listed here, but arguably also the least convenient. However, it's still pretty easy, and possibly worth it for extremely sensitive or powerful accounts like banking, retirement, insurance, or your all-encompassing Google identity. 😬

If this seems unfamiliar or you need help figuring out where to begin, don't worry; just like switching to a password manager, you don't have to do everything all at once. You can gradually enter the world of better security one account at a time as you get comfortable with the process.

I know I keep promoting 1Password here, but it's because I use it daily, and it does exactly what I need. So, pardon one more nudge in that direction. If you don't already have a separate 2FA solution for your accounts, 1Password is an excellent choice as both a password manager and a 2FA tool. It even has a handy feature highlighting all your accounts that support 2FA but still need to be configured for it, giving you an easy way to jump into your account settings at each provider and turn on 2FA. On top of that, the desktop/laptop version of the 1Password app reads QR codes right off the screen directly, so you don't have to pull your phone out to finish the setup process.

Seriously, give it a try if you're not already using something else.

In the meantime, send over any questions or comments about two-factor authentication, password managers, or security in general during this month.

Stay cool, have a great week, and happy data-taming!

If you're not already subscribed, make sure to join the weekly newsletter email list with the simple form below. You can also bookmark the Tidy '24 Calendar page for a master list of every currently published Tidy '24 topic.