Two-factor authentication or 2FA is a way of making your logins more secure, by not only requiring a username and password when signing in, but also a special extra code that can either be received as an SMS or else generated by an app or device.
Most of you will already have used 2FA, perhaps without knowing so, when you log in to your internet banking. Most banks give out a 2FA device or card which stores some codes you are required to enter when logging in. This ensures that if someone guesses or cracks your password, they still won’t be able to login unless they are also successful in robbing your physical 2FA device.
I would use 2FA whenever it is possible, but I especially highly suggest using it on websites that contain sensitive information that can be used by a hacker to damage you or steal assets.
Here are a few popular sites to use 2FA on:
- Social media (Instagram, Facebook, Twitter etc)
- Crypto exchanges (Kraken, Coinbase etc)
- Amazon and other e-commerce sites that you use frequently.
- Dropbox and similar platforms storing your files.
- Email accounts (Gmail etc)
For a bigger list check out this site.
How to do 2FA
SMS is one of the most popular but least secure ways of doing 2FA, as sim swap attacks have become popular in recent years. It is highly encouraged to use an app or hardware device for 2FA when possible.
I like the Google Authenticator app and have used it for 2FA purposes. Another popular app is Authy, and it’s probably a better app than Google Authenticator in many ways, including the ability to use it on a desktop as well as being able to set it up on multiple devices.
There are also hardware devices that can be used for 2FA. Probably the most popular one is the Yubikey, while other competitors are Google Titan and Nitrokey.
If you are using the 1Password software, an even easier way to do 2FA is to replace Google Authenticator/Authy/Yubikey with 1Password itself. It has the ability to generate one-time passwords for 2FA purposes. If you wish, you can use both apps at the same time and see which one you like best, they will generate the same number so they are interchangeable.
Now it must be mentioned that using 1Password is less secure than using a hardware device or even an app like Authy or Google Authenticator. The reason is that if someone gets into possession of one of your devices and manages to enter your 1Password vaults using your main password (by guessing or other means of social hacking), they will not only have access to your usernames and passwords, but also to the 2FA codes. Then again, if you’re using a device for 2FA but you’re storing the backup words on 1Password, as many undoubtedly do, you will still run into this attack vector.
Here’s a website that serves as a guide to setting up 2FA on the most popular platforms and websites.
You can add your
2FA codes to 1Password
thanks fro provideing info……
Pro Tip: You can add your 2FA codes to 1Password!
Yep, indeed that should be part of the workflow.
No it shouldn’t, that defeats the purpose of MFA. Anyone who gains access to your 1Password vault now has access to any account within it. You’re back down to one factor.
Emerson We are referring to the app and not the hosted version of 1p here.
Jean what’s the difference? If you keep passwords and TOTP secrets in the app, anyone with access to your app has access to your accounts, ergo the app becomes the single factor. As compared with somebody getting access to Google Authenticator or Duo on your phone. The OTP values aren’t sufficient without your passwords, so another factor remains necessary.
Or from 1Password themselves, https://blog.agilebits.com/2015/01/26/totp-for-1password-users/, search for “Second factor”
Since both 1Password and Authenticator sit on your phone, I don’t see why it’s more secure to use Authenticator. One might argue that most people have 1P on their laptops as well, which is increases the surface of attack, but beyond that, they are pretty equal as I see it, unless I’m missing something.