Select Page

Two-factor authentication and password managers

Over the past few weeks, I’ve been seeing many posts on Facebook about people thinking that their accounts have been hacked, when in truth it’s a hoax that’s been going around (more here). This got me thinking and I wanted to write a post explaining some things that you can do to protect yourself online. More to come in the next few weeks on additional security best practices. If you have any specific questions that you’d like answered or topics that you’d like covered, let me know! Today I’m going to explain two core security tools that you can easily implement: two-factor authentication and password managers. To non-technical people, these can seem like daunting tools at first, but they’re quite easy to use and extremely beneficial.

What is two-factor authentication and why is it important?

Two-factor authentication (also called 2-factor, or 2-step authentication) is an additional layer of security that you can enable for many of your online accounts. It combines something you know (a password) with something you have (a hardware key or phone that receives codes that you enter). One of the reasons that two-factor authentication helps to protect you online is that even if your password is compromised, the attacker would need access to “something you have” to be able to get the second component that they need to log in as you.

Two-Factor comes in a variety of flavors, but the most basic flow works like this:

  1. Log in with your username and password
  2. A text message is sent to your phone
  3. Enter the code in the text message on the login screen
  4. You’re logged in

Other methods include:

  • A two-factor app on your phone that manages codes for all of your services (like Google Authenticator, Authy, or Duo)
  • A two-factor app that sends requests to your phone with a simple approve/deny option for logins after you enter your username and password
  • A hardware key that you plug into a USB port (I use the Yubikey, $20 on Amazon and works with Google, Facebook, Twitter, Dropbox, and more.)

TwoFactorAuth.org has done an excellent job of compiling a list of online services that offer two-factor authentication, with links to the instructions for each service. I highly encourage you to enable this valuable tool for your online services to protect yourself. It doesn’t take long, and it can save you some heartache and stress.

One point to remember: when enabling two-factor authentication, you are often provided with “backup codes” in case you can’t get to your phone, or your phone isn’t working – if you’re prompted to save these, actually save them somewhere safe. Print them and lock them away, or keep them in a safe place on your computer.

Password managers: friend or foe?

One big cause of online accounts being taken over is password re-use. If John uses his favorite password on all of his online accounts and one of them gets hacked, that password can now be used to log in to any of his other accounts with little to no effort.

It’s hard to remember a unique password for every web service that you use! This is where password managers come in. Password managers can generate unique, secure passwords for you and store them so that you don’t need to remember them. Your password manager integrates with your browser and your phone to auto-fill these unique, secure passwords, meaning that you often only need to remember the password to unlock your password manager. Another benefit of using a password manager in your browser is that autofill can help prevent you from falling victim to phishing campaigns by filling in your password at facebook.com, but not at fac3book.com. Most passwords managers are relatively inexpensive, ranging from free to a few dollars a month.

Now, you’re probably asking me “Ethan, how safe are these password managers? Lastpass made the news with a security incident a few years ago, why should I trust a password manager?”

To this point, I refer you to Security Researcher Troy Hunt, who has an excellent discussion piece on password managers. Troy runs the famous Have I Been Pwned website, which is used to compile data found in web breaches so that consumers can be notified if information relating to their email address has been found in a data breach. I encourage you to sign up for HIBP (it’s free, funded by donations and sponsors).

One of my favorite things about HIBP is that it actually can be integrated into password managers to warn you of breaches right there where you keep your passwords.  

Thanks for reading!

Two-factor authentication is an easy way to add a layer of security to your online accounts, and by using a password manager in addition to two-factor authentication, you greatly reduce the risk of account takeover.