Bitcoin Security Made Easy: using 2-factor authentication
This is the second article in the series Bitcoin Security Made Easy: Simple Tips for Non-Experts. If you aren’t using a password manager yet, please start with the first article in the series.
By now you’ve probably heard of 2FA, or two-factor authentication, and know you should probably be using it. When I first heard of 2FA, I didn’t really understand how it worked or why I would intentionally want to add more time and steps to logging in. It sounded like a time-consuming chore. I was worried that if I didn’t have cell service, I’d be locked out of my accounts (not true). Or that I’d lose access to everything if I lost my phone (also not true). Today I use 2-factor on all of my important accounts and you can too!
Security Tip #2: Start using 2-factor today
Think of two-factor authentication as an extra lock for your most valuable accounts. The idea is to make it harder for a bad actor to gain access to your accounts, while still allowing you to have relatively easy access. In this article, you’ll learn how you can use Authy, Trezor, and Ledger as second factors. At the end of the article is a checklist to help you to implement 2-factor, but first let’s look at how it works and why you want it.
What risks does 2FA protect against? Your password manager is already creating strong, unique passwords for each site you visit. Now, if someone gets your password for one site, they can only use it on that one site. But they’ll be able to use it on that one site immediately. Which might be ok for some accounts. But what if that one account is something really important — like your password manager, email, or bitcoin wallet? That’s where a second factor comes in. By setting up your account to require a second login credential, your password alone is no longer enough to gain access your account.
How does it work? In its most basic form, two-factor is simply setting up your most valuable accounts to check two pieces of identity, instead of one, before you can access your account. In security terms this is called “authentication,” which is simply demonstrating you are who you say you are. That’s why it’s called 2FA, or two-factor authentication.
How do I “authenticate”? What is a factor?
There are three ways to authenticate yourself: (1) with something you know, like a password or PIN (personal identification number); (2) with something you have or own, like a USB key or debit card;(3) with something you are, like a fingerprint, retinal scan, or signature. Each one of these categories is called a factor, and sometimes they’re referred to as knowledge, possession, and inherence respectively.
Single-Factor, Two-Factor, Multi-factor. When you use only a password or a fingerprint to access your accounts, you’re using single-factor authentication — which means you’re using one thing to prove you are who you say you are. When you use a password plus something you have or are, you’re using two factors. Some companies, like Google, call this two-step verification or 2SV. While some security experts quibble over the terms verification and authentication, for our purposes the differences are irrelevant. The real question is, are we actually using two factors or just one disguised as two. As you might imagine, this is where things get a little tricky.
Not all factors are equal
Something you know. This is the easiest factor to understand: PINs and passwords are knowledge-based factors and you’re already using them everyday. In bitcoin, we use cryptographic key pairs, which are also a knowledge-based proof. Your password manager is now creating strong, unique passwords for each site, so you’ve got the knowledge factor under control. Now you need to add you need one of the other factors.
The other two factors — ownership and inherency — are a bit trickier. We’ll look at those factors next. You might be surprised to learn that you don’t own your phone number, you might own your phone, and biometrics aren’t as safe as you think. Let’s explore each of these in a bit more detail.
Your phone number is not something you own. Most people believe their phone number is “theirs.” But it’s not. Phone numbers belong to service providers. They are fully controlled by the network providers. Sure, you can choose a new network provider, but control of the account always remains with a phone company within their service-provider network. Therefore, your phone number cannot be a “something you own” factor.
Don’t believe me? Take a look at this article and corresponding video, where an expert in social engineering gets full access to a stranger’s cell-phone account within 30 minutes. The trick? She calls customer service, impersonates the customer’s wife (while playing a soundtrack of a crying baby in the background), and successfully gets them to give her the email address used on the account and eventually to provide her with full access to the account.
SMS uses your phone number, so it’s not a good second factor. Because an SMS authentication code is pushed to your phone number through your cell-phone network, it’s using a factor that is not something you own. Thus, a phone number isn’t good for 2FA. Your phone — meaning the device itself — might be something you own. I say “might” because if you’ve got a corporate phone, they own the device, you don’t. If you do own your phone, you can use it as a second factor easily. I’ll explain how later in the article.
Biometric factors aren’t as secure as you might think. In 2013, I had an iPhone with a fingerprint scanner. When I learned about 2FA I immediately thought, I’ll just use my fingerprint (or something I am) to access everything. This is going to be so easy! But biometric factors aren’t as secure as they seem. In 2014, the BBC reported a politician’s fingerprint was cloned using images from a press conference. More recently, we’ve been told to stop flashing the peace sign in photos because thieves can get our fingerprints from them. If you really want to nerd out about fingerprints and security, read Using Fingerprint Authentication to Reduce Security. That’s not a typo, the title says “reduce.” While it’s true we don’t go around posting photos of our fingerprints, if you’ve got any sort of online presence chances are your fingerprints are already available online. This makes them far less desirable, even as a second factor.
Biometric factors are unchangeable. Importantly, unlike passwords, biometric factors are unchangeable. Once a thief has your biometric data, it can be used anywhere. You cannot change your fingerprint or facial structure without significant pain and cost. And when it’s compromised, it’s compromised forever. If we lived in a world where credentials were never stolen or lost, maybe biometrics would be a good choice. But right now we don’t. So they’re not. But don’t worry, there are good, easy-to-use second factors available.
What factors should I be using as 2FA?
Use your phone or a bitcoin hardware wallet as your second factor. Today, most people start with 2-factor by using a time-based one-time password generator (TOTP) app downloaded to their phone. Authy is a top choice here because you can use their backup service, encrypted with a password you set, so that you can recover your codes if something happens to your device. The Authy app is available for free for iOS and Android devices through authy.com or at your app store. An even better choice for high-value accounts (like your password manager or bitcoin account) is to use a U2F (universal second factor) device like Trezor ($99) and Ledger (nano s or blue, $60-$299). While the Trezor and Ledger options work differently than Authy, for our purposes they serve the same role, as a second-factor device for some of your accounts.
As a side note, some people, myself included, use Yubikey as a second factor for some accounts. However, because they’re almost impossible for the average user to backup and because this guide is aimed at bitcoin security, a bitcoin hardware wallet is a better choice.
What happens if I lose my phone? During setup, Authy will ask you to set up a backup password (if it doesn’t, go to settings and enable backups). This password will let you restore your 2FA keys from an encrypted backup if your phone is lost, stolen or damaged. You can use your password manager to generate and store your backup password, but you’ll also need to write down your backup password — on paper — and store it somewhere safe. Why? If you’re using Authy as a second factor for your password manager you could end up getting locked out. If you need to access your password manager to get your backup password, but you can’t access your password manager without the backup password, you’re in trouble.
Be sure your backup password is written down and stored securely. Stored securely means somewhere you’ll be able to find it when you need it, but no one else will, and where it won’t get damaged by fire or water. If you do not backup your Authy account and your phone is lost, damaged, or stolen, you’ll have a very difficult time accessing your 2FA-enabled accounts. Don’t skip the backup step!
What happens if I lose my Trezor or Ledger? During setup, these devices will display 24 English words that you’ll write down as your backup. The words can be used to rebuild all of your data onto a new device, including your bitcoin wallet and U2F credentials. With the words, you’ll be able to access your bitcoin, ether, and any other cryptocurrencies stored there and your codes for 2FA. One backup for everything! Without the words, if something happens to your device, you’ll lose everything. You can find out more about using and restoring Trezor for U2F in their User Manual. We’ll get into the specifics of bitcoin hardware wallets and backups later in this series.
How Do I Start Using 2-factor?
Downloading, Installing, and Using Authy. Download Authy from your smartphone’s app store (Google Play or Apple Store). Don’t forget to backup your password. During setup you’ll select a PIN (personal identification number) to access the app. Remember not to choose 8675309 (a popular song from the 1980’s) or 1234 as your PIN, read this article by Will Oremus to learn more about setting strong passwords (and to learn why 8068 is also a bad choice). After you’ve got the app installed, backed up, and you’ve set your PIN, you’re ready to link it to one of your accounts.
There are many great how-to guides, like Authy Authentication Made Easy, and step-by-step tutorials from Authy to help you through the process. Here, we’ll just walk through one site, Facebook, so you’ll understand the basics.
First, log into Facebook on your laptop or tablet, select Settings from the drop down menu, and Security just below the General option. Choose Login Approvals, then Code Generator (which is what Authy will do). Select the link for “third party app” and you’ll see a window pop up with a QR code. Now open the Authy app, enter your PIN, and select “Add account” from the menu options. Then scan the QR code to pair Authy and Facebook. Save settings in Facebook and close. You can find screen shots and more details about pairing Facebook and Authy here.
How Will I Log In After I’ve Enabled 2-factor? When you visit a site with 2FA enabled, most often you’ll enter your username and password first. Then the site will prompt you to “authenticate” with another factor. If you’re using Authy or Authenticator, it will ask for a six- or seven-digit code, which you’ll get from the app on your phone. You’ll have about 30 seconds to enter the code before it refreshes. If you’re using a Trezor or Ledger, you’ll simply plug in the device, tap a button, and you’re done!
Ordering and Using Trezor or Ledger. Even though these devices are available on Amazon and through other retailers, I like to order them through the company directly (see Trezor or Ledger) or from a company partner. Shipping takes about a week to the US or Europe; elsewhere could take longer. Setting up the device will take about 15 minutes, but remember, it will work as both a cryptocurrency wallet and a 2FA device. These devices use U2F, a newer, more secure spec for 2FA. Because it’s a new spec, not all online services are compatible, yet. Today you can use these to access Google (including Gmail and G-suite), Dropbox, Github, Dashlane, Firefox, Wordpress and many others.
Take a look at Trezor’s Implementation Guide or Ledger’s website for more information. Both of these devices can be used with cryptocurrencies other than bitcoin, like ether. I’ll be discussing how to do this in an upcoming article. Even if you’re not ready to use a hardware wallet for U2F, if you’ve been thinking at all about buying one for storage or multisig, do it now so that you’ll be ready to start using it when the time comes.
Which Accounts Should I Link? If you’re not sure where to start, begin by adding 2-factor to your most important accounts — think communication, backup, work, and money. Be sure to enable 2-factor on your main and any minor email accounts. Then add other major sites you use for communication. Next and equally important, think about backups for your laptop, desktop, and phone. If you use Dropbox or iCloud, add 2-factor immediately. Turn It On is an extremely helpful resource. Besides having an awesome name, this comprehensive guide has a list of accounts that support 2-factor with links on how to implement it on each site.
If multi-factor is so much better, why not use it everywhere? Good account security, meaning reasonably effective security that you will actually use, is always a balance between user (and thus hacker) inconvenience, the value of what’s being secured, and the relative security of the system. Sure, assuming all of your accounts support 2FA, in theory you could add multi-factor login for every account, but for most people that means you’ll be spending a LOT of your time logging in. The danger is that it will become too cumbersome and you’ll disable it. Start small, with only your most important accounts; you can always add more!
How long will it take me to start using 2FA? Once you have the app installed or have your device in hand, it should take about five minutes to set up each account. Of course, the more accounts you link, the more efficient you’ll get at linking them.
How long will it take me to start loving 2FA? Honestly, it took me a while. At first, it seemed like another step for nothing. I hated having to get up and get my phone, yubikey, or hardware wallet when I left it in the other room. But then, thanks to the advice from a good friend, I started thinking of it differently. Now, every time I have to get up and go get a second factor I smile. I smile because I know that for me, the walk is a minor inconvenience, but for an attacker it’s a major obstacle. I smile because I’m more secure.
Checklist for Action
It’s not enough to read and understand this article. Take action right now to make 2-factor part of your security practices. Use the checklists below to help:
Checklist for Getting Started with Authy:
- Download Authy application to your device (you’ll need a phone number)
- Open the app and follow the set-up instructions
- Set access PIN
- Enable backups and set a strong backup password (use your password manager to generate it). Note — only leave backups disabled if you’re an expert user and fully understand the risks of not having backups of your TOTP tokens
- Store your backup password in your password manager (but also on paper somewhere safe in case you need it)
- Your smartphone can now act as a 2FA TOTP/HOTP token!
Checklist for Getting Started with Trezor or Ledger:
- Purchase Trezor or Ledger hardware wallet (no phone number required)
- Plug the wallet into your device and follow the manufacturer’s set-up instructions
- Set your access PIN
- Create your paper backup
- Store your backup securely (fireproof, waterproof, access controlled)
- Your hardware wallet can now act as a U2F token, as well as store currencies!
Putting 2FA into action:
- Add 2-factor to your primary email account: log in and out 3+ times to ensure access
- Add 2-factor to your password manager: log in and out 3+ times to ensure access
- Add 2-factor to any bitcoin software wallets you already use: log in and out 3+ times to ensure access
- Add 2-factor to your Dropbox and iCloud accounts: log in and out 3+ times to ensure access
- Make a list of the other accounts where you want to add 2-factor (backups, social, work)
- Set a calendar reminder for two weeks from today and add 2-factor to those accounts
- Smile Because You’re More Secure
Now that you’re using a password manager and 2FA, we can get into bitcoin security specifics. In the next article, we’ll start looking at the basics of bitcoin wallets.
I’m always looking for feedback, so please leave your comments below or reach out to me on twitter @pamelawjd. Thanks for reading!
Edit: my book Cryptoasset Inheritance Planning: a simple guide for owners is now available at Amazon.com (and at amazon sites throughout the world).