Did you know that there’s a quick, easy, FREE way to add additional security to your accounts on many popular websites such as Google (and all of their services like Youtube, Drive, Gmail, etc), Amazon, PayPal, Facebook, and more? Well there is, and it’s called two-factor authentication, with time-based One-Time Passwords (TOTP). It’s quick, easy, and FREE to setup, and today I’m going to walk you through it.
It’s called “two-factor authentication” because it relies on two factors to verify your identity: Something you have (your phone or other device with an authenticator app on it) and something you know (your userid and password). There’s a weaker version of this that many services offer, where they’ll send a text message with a one-time password to your phone. This works, but is less-secure as that text message could possibly be intercepted (see this article )
Twofactorauth.org maintains a list of popular sites that support two-factor authentication (you’re looking for a green checkmark in the “software token” column).
Here’s how it works. There are several free apps for your mobile phone that generate time-based “one-time” passwords. These passwords change every 30 seconds, and are generated using a random “seed” that is known only by your authenticator app and the site you’re logging in to. When you log in to a site that supports two-factor authentication, you enter your userid and password as you normally would. Then, before you’re allowed into the site, the site prompts you for the one-time password. You simply open the app on your phone, look at the 6 digit code it’s currently generated for the site you’re on, enter that code on the website, and you’re in.
The technical details behind how all of this works are quite complicated (and I don’t even completely understand the black magic behind it all), but the bottom line is that it works.
So you might ask “why is this more secure?” Well, think about it this way. Let’s say a hacker gets ahold of your PayPal userid and password. Without two-factor authentication, that hacker now has full access to your paypal account (and all of the bank accounts, credit cards, etc associated with your paypal account). BUT, throw a one-time password into the mix, and even though the hacker has your userid and password, that evil-doer doesn’t have your phone with your one-time password generator on it. So, Mr. Bad Guy can’t spoof it (Because it’s randomly generated and renews every 30 seconds), so he can’t log in to your PayPal account. Even if a hacker was able to grab one of the one-time passwords while you’re entering it, it’s invalid after 30 seconds and won’t work again.
The best part of all of this is that it’s easy and FREE to set up. Here’s what you do:
Download an authenticator app on your phone. There are several available, but I strongly recommend using one from a known source. Google and Microsoft both offer authenticator apps for Android and iOS, with Microsoft’s also available for Windows 10 Mobile. If you want to generate codes on multiple devices (say on your phone and on your desktop PC), Authy offers a cross-platform solution.
Once you’ve downloaded and installed the app, log in to the service you’d like to set up for two-factor authentication (Facebook, Amazon etc) on your desktop/laptop. Go to your account settings, and to your login settings. From there, choose to enable two-factor authentication using an authenticator app (not SMS text messaging or hardware key). You’ll be presented with a QR code similar to the one below.
Open the authenticator app on your phone, select to add a code/site (in Google Authenticator it’s the ‘+’ sign in the bottom right-hand corner), choose to scan a code, and scan the QR code provided on the screen. Finish up whatever final steps are required on the website you’re configuring (some have you enter the current generated code to verify it’s working), and you’re all set. I recommend staying logged in, then opening a different browser and testing your login there. That way, if something’s not working, you’re still logged in in the first browser to fix the issue or to fall back.
IMPORTANT: Be sure to configure a backup/recovery method of logging in to each site. For example, setup SMS text message one-time passwords as an alternative. That way, if you lose your phone, it dies, or you have to reset it, you can still log in to your sites. In addition, when configuring the one-time password on the site, many will allow you to download “offline” or “emergency” codes. It’s a good idea to download those and keep them somewhere safe. As a third form of backup, most sites have a “can’t scan the code” option when setting up your app. Go ahead and scan the QR code, but before you proceed, hit that “can’t scan the code” option. This will provide you with a long string of text that you can save somewhere and enter into an authentication app manually if you need to later (beware: Anyone that has this code can enter it into an authenticator app and generate the exact same one-time passwords, so keep them safe).
Here are links to a few “how-to” articles for configuring two-factor authentication on specific sites:
Finally, if you’re running a WordPress site (for a personal blog, etc), there’s are plugins available to enable two-factor authentication for your WordPress site as well. There are quite a few, but here are a couple I’ve tested:
Two-Factor Authentication – A dedicated two-factor authentication plugin that supports both time-based (what we’ve discussed here) and hardware-based one-time passwords.
WordFence – A full-featured firewall and security suite for WordPress. Features include login failure lockouts, automatic IP address banning, malware scanning, and more. Two-factor authentication support is included.