Published in


Securing Your Accounts With Two-Factor Authentication (2FA)

Why a password is not enough, why you shouldn’t use Google Authenticator, and what to use instead

  • WTF is 2FA & how does it go to the rescue;
  • Which 2FA method to use (and which one better not);
  • TOP 3 best practices for your security.

What’s Wrong With Passwords?

Nothing. They are still good as a first authentication factor, if used correctly (unique complex password for each account). But alone, passwords are not enough for reliable access protection.

  • Even if your password hygiene is perfect, you can’t be sure you’re safe. Cracking a strong password doesn’t require a million years anymore. For hackers with enough time and resources, it is possible to crack a password (hash) of almost any length and complexity.
  • The main safety concern is not even password cracking/brute-forcing, but password harvesting. An attacker can infect your computer with keystroke loggers malware, steal your credentials using a phishing website, and many other methods, where a password can’t prevent account takeover.

What You Need is Two-Factor Authentication (2FA)

The idea of 2FA is to provide you with extra security due to the second step of authentication. There are three main ways to verify yourself: to confirm something you know (password, PIN), something you have (smartphone or another device), оr something you are (your fingerprint, voice, or retinal print). 2FA means that, on top of a password, a website requires a second method from the above for signing in.

2FA Methods. Which One to Choose?

SMS 2FA — The Most Troublesome and Insecure

How it works. For signing in the account, you will need a one-time code, not only a password. The service will send it as a text message (SMS) to the registered mobile phone number. There are at least two unpleasant scenarios.

  • SIM Splitting aka SIM Swap Fraud.
    Very often the mobile carrier can’t prevent duplicating SIM cards by attackers. A fraudster can request a new SIM card from the mobile carrier, claiming that the old SIM card was lost, using a fake ID to pick-up the card from carrier office. As a result, they get a leg in your secret data and steal money from your accounts. The way it happened with a woman from Middlesbrough.
  • SS7 Vulnerabilities.
    SS7 is a protocol, which allows telecom networks to communicate with one another. In this case by Positive Technologies, security researchers managed to intercept the one-time SMS and hack a test wallet on Coinbase exchange. To perform this attack, required to know the victim’s name, last name, and phone number.
  • Fake Cell Phone Towers.
    Your smartphone can be connected into one of them right now, and you’ll never know. The phone connects to the base tower with a broader signal by default, so you can unnoticeably connect to the fake cell tower and the attacker will intercept your SMS and calls.
  • Android SMS Interception Malware.
    Last but not least attack vector works against Android smartphone owners. As an example — malware that pretended to be AliPay, famous Chinese online payment app. Or so-called SpyDealer, Android malware that stole data from over 40 popular services such as Facebook, WhatsApp, and Skype.
    UPDATE 22.05.2019: Here is another example of steal from users of top crypto apps such as Coinbase, BitPay, and Bitcoin Wallet.

U2F (Universal 2nd Factor) — Relatively Safe, But Not Flexible Enough

How it works. This authentication method requires an additional USB device. It can be a FIDO U2F Security Key or Trezor/Ledger hardware cryptocurrency wallet.

  • USB-authenticators do not work on mobile phones, tablets and other devices without a USB port.
  • Most web services don’t support U2F authentication. It is available only on such giants as Google, Facebook, Dropbox and so on. All the websites that support this protocol are listed here. On the cryptocurrencies tab, you can see that only Bitfinex exchange supports Universal 2nd Factor.

TOTP (Google Authenticator) — The Most Popular, Simple and Efficient Method

How it works. Firstly, you need to install an app that generates the codes (Google Authenticator or it's analog), scan the QR code shown on the website where you are activating 2FA, this will transfer the TOTP secret key to your smartphone. Every 30 or 60 seconds the app will generate a new one-time 6-digit code based on your secret key and the current time. To sign in to your account, you will need to enter this code besides the common password.

Top 3 Best Practices for 2FA TOTP Usage:

Backup the Recovery Key Correctly.

When activating 2FA, many web services ask to backup your secret/recovery key. Don’t skip this step, or you will lose access to your account if your device is broken, lost or replaced by a new one.

Invalid TOTP Code? Check Your Clock!

The common problem is that the user installs the TOTP application, scans the QR code, the application generates codes, but the website considers them as invalid.

Don’t Use Google Authenticator.

Sounds exotic! After all, Google Authenticator is the most popular app in its category. And it’s from Google! Very often the 2FA TOTP method is associated exclusively with Google Authenticator. But it is an open protocol supported by many other apps.

  • No encrypted recovery backups;
  • No passcode or fingerprint protection.
  • It allows you to lock the application with a passcode or a fingerprint. The person who gets your phone won’t get access to your 2FA codes.
  • The most important is that Authy backups an encrypted copy of all your secret/recovery keys in the cloud. So they are available from different devices, and it’s easy to transfer them from one gadget to another.
    Google Authenticator app does not provide such an opportunity, and this is its main drawback. There is no way to transfer a GA app with codes to dozens of websites from one phone to another. If the mobile device with the application is broken or lost, and the recovery key was not backed-up, you will lose access to your accounts.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store