One of the things I feel like I contribute to the world as a blogger is to test out tools and techniques that are still pretty new, but that I feel like everyone will be using in time. I suggest that two factor authentication is one of those things.
Quickly, the idea here is that in order to have a secure online life, there needs to be two separate keys: a thing you know – a password or passphrase, and a thing you have – a hardware token or, more recently, your phone.
I decided to go all in and turn on two-factor auth everywhere that offered it.
- My bank and Paypal. These two send SMS messages to my phone with a code. Works pretty seamlessly except the other day I really needed access to Paypal and the message took over 30 minutes to arrive.
- Gmail. I have a personal account and a business account. Jeff Atwood has instructions on how to set this up here: http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html Google uses SMS codes for this too, but the catch is that it also means that every touch point to your account that doesn’t support two-factor directly needs to have a custom password generated via the google.com/accounts pages. Once you wrap your head around the idea, it is pretty easy, but if you have multiple computers it will take a little while to get them all hooked up.
- Lastpass. I’ve been a proponent of Lastpass for a long time and they even offer multiple methods of achieving two-factor auth. I opted for Google Authenticator which is an iphone app that spits out a 6 digit code every minute or so. This is similar to the RSA keys that you might have seen in the enterprise world. Of all the tools I use, I’ve found this to be the easiest to use.
- Duo Security. I’m trying this out on my Windows laptop. It installs at a pretty low level and requires a code at login. They too offer multiple methods including a system that calls your phone and you have to hit #. I use the iphone app method called Duo Mobile. So far, this one has caused me the most headaches. My wife has an account on this same computer and she was unable to log in at all even with the app installed and configured. It also seems to require an internet connection, so in theory bypassing the check would just be as simple as flicking off the hardware wifi switch. But all that aside, this is the future and these guys seem like they are in the lead to make this happen. These troubles are just the price I pay for being an early adopter.
My advice would be to set up Lastpass (right now!), choose a good pass phrase and enable two factor auth using the Google Authenticator. Once you’ve done that you can change your passwords across the web using the Lastpass auto generator tool and that is going to get you 95% of the security anyone would need.