Securing Your Accounts With Two-Factor Authentication (2FA)
Why a password is not enough, why you shouldn’t use Google Authenticator, and what to use instead
If you believe that security paranoia is a trifle, just read the story of the guy, who lost all his crypto in 15 minutes because of disparaging data security. Don’t make the same mistake, OK?
Let’s figure it out how to secure your crypto and other accounts once for all!
Scroll down for the article from Max Sapelov, Co-founder & CTO at CoinLoan, security and cryptography expert. He’ll tell you:
- What’s wrong with passwords;
- WTF is 2FA & how does it go to the rescue;
- Which 2FA method to use (and which one better not);
- TOP 3 best practices for your security.
What’s Wrong With Passwords?
Nothing. They are still good as a first authentication factor, if used correctly (unique complex password for each account). But alone, passwords are not enough for reliable access protection.
- An average user has dozens of accounts in various services. Each one requires a password. The way to make life a bit easier, we simplify passwords, reuse them across multiple services, and use an old password for ages. Mistake!
- Even if your password hygiene is perfect, you can’t be sure you’re safe. Cracking a strong password doesn’t require a million years anymore. For hackers with enough time and resources, it is possible to crack a password (hash) of almost any length and complexity.
- The main safety concern is not even password cracking/brute-forcing, but password harvesting. An attacker can infect your computer with keystroke loggers malware, steal your credentials using a phishing website, and many other methods, where a password can’t prevent account takeover.
What You Need is Two-Factor Authentication (2FA)
The idea of 2FA is to provide you with extra security due to the second step of authentication. There are three main ways to verify yourself: to confirm something you know (password, PIN), something you have (smartphone or another device), оr something you are (your fingerprint, voice, or retinal print). 2FA means that, on top of a password, a website requires a second method from the above for signing in.
It works as a security door. When a thief breaks the first lock, he gets to another one. Without 2FA everyone, who knows the password can pretend to be you and access your accounts. With 2FA it’ll require some extra work for a hacker to get access to your device or biometrics.
Sounds like a plan, but not all 2FA methods are equally safe and user-friendly.
2FA Methods. Which One to Choose?
SMS 2FA — The Most Troublesome and Insecure
How it works. For signing in the account, you will need a one-time code, not only a password. The service will send it as a text message (SMS) to the registered mobile phone number. There are at least two unpleasant scenarios.
1. Technical problems. SMS may be delayed due to some carrier issues. Here’s an example. Sometimes messages just stop coming for an unknown reason. So the account becomes no longer available. If you are abroad, in roaming or using another SIM, you will also get some troubles with account access.
2. Security problems. Here are only some of them:
- Phone Number Port-Out Fraud.
Sometimes only a quick call to the mobile carrier and some personal information is enough for tying the phone number to a SIM card and device. Since then, a secret SMS for authentication is sent to the attacker, not to the original phone owner. As an example — the story of the guy, who has lost all his savings and a loan was borrowed on his name through unauthorized porting.
- SIM Splitting aka SIM Swap Fraud.
Very often the mobile carrier can’t prevent duplicating SIM cards by attackers. A fraudster can request a new SIM card from the mobile carrier, claiming that the old SIM card was lost, using a fake ID to pick-up the card from carrier office. As a result, they get a leg in your secret data and steal money from your accounts. The way it happened with a woman from Middlesbrough.
- SS7 Vulnerabilities.
SS7 is a protocol, which allows telecom networks to communicate with one another. In this case by Positive Technologies, security researchers managed to intercept the one-time SMS and hack a test wallet on Coinbase exchange. To perform this attack, required to know the victim’s name, last name, and phone number.
- Fake Cell Phone Towers.
Your smartphone can be connected into one of them right now, and you’ll never know. The phone connects to the base tower with a broader signal by default, so you can unnoticeably connect to the fake cell tower and the attacker will intercept your SMS and calls.
- Android SMS Interception Malware.
Last but not least attack vector works against Android smartphone owners. As an example — malware that pretended to be AliPay, famous Chinese online payment app. Or so-called SpyDealer, Android malware that stole data from over 40 popular services such as Facebook, WhatsApp, and Skype.
UPDATE 22.05.2019: Here is another example of steal from users of top crypto apps such as Coinbase, BitPay, and Bitcoin Wallet.
SMS messages haven’t been invented as a secure communication channel, and they shouldn’t be used as a protection factor. That’s why the National Institute of Standards and Technology (NIST) recommended avoiding the use of SMS 2FA.
UPDATE 22.05.2019: Here is an example of сrypto сustodian BitGo that shows what can happen if you still on SMS 2FA.
U2F (Universal 2nd Factor) — Relatively Safe, But Not Flexible Enough
How it works. This authentication method requires an additional USB device. It can be a FIDO U2F Security Key or Trezor/Ledger hardware cryptocurrency wallet.
The private key for two-factor authentication is securely stored in this device. To sign-in to the account, you need to connect it to the computer and press a button on the device. Therefore, even if the computer is infected with malware, it will not be able to intercept access to the account.
Despite its reliability, this method has some disadvantages:
- You need to buy an additional device and carry it around all the time.
- USB-authenticators do not work on mobile phones, tablets and other devices without a USB port.
- Most web services don’t support U2F authentication. It is available only on such giants as Google, Facebook, Dropbox and so on. All the websites that support this protocol are listed here. On the cryptocurrencies tab, you can see that only Bitfinex exchange supports Universal 2nd Factor.
TOTP (Google Authenticator) — The Most Popular, Simple and Efficient Method
How it works. Firstly, you need to install an app that generates the codes (Google Authenticator or it's analog), scan the QR code shown on the website where you are activating 2FA, this will transfer the TOTP secret key to your smartphone. Every 30 or 60 seconds the app will generate a new one-time 6-digit code based on your secret key and the current time. To sign in to your account, you will need to enter this code besides the common password.
The good news is that it’s enough to have any device suitable for installing the application. Internet access is not required — everything works offline. The code is generated directly on the device, so it can’t be intercepted as in the case of SMS.
Currently, TOTP 2FA is the best choice to protect your accounts.
Top 3 Best Practices for 2FA TOTP Usage:
Backup the Recovery Key Correctly.
When activating 2FA, many web services ask to backup your secret/recovery key. Don’t skip this step, or you will lose access to your account if your device is broken, lost or replaced by a new one.
Don’t store the secret key on your computer, it will make 2FA less secure. If the computer is infected with malware, the attacker will get not only your password but also the second authentication factor (recovery key). That’s why the best way is to keep your secret key stored offline (e.g., write it down on the paper).
Invalid TOTP Code? Check Your Clock!
The common problem is that the user installs the TOTP application, scans the QR code, the application generates codes, but the website considers them as invalid.
The reason is straightforward. TOTP code generation is based on the current time, all of them will be invalid if the system clock on your phone gains or loses for more than a minute. This problem usually happens when the time on your device is set up manually. To check if the time on your device is correctly synced, please visit the following page: https://coinloan.io/checktime. The best way to fix the problem with synchronization is to switch the time settings on your phone from “Manual” to “Automatic”.
Don’t Use Google Authenticator.
Sounds exotic! After all, Google Authenticator is the most popular app in its category. And it’s from Google! Very often the 2FA TOTP method is associated exclusively with Google Authenticator. But it is an open protocol supported by many other apps.
Google Authenticator is one of the most useless and insecure 2FA apps. Why?
- No multi-device support;
- No encrypted recovery backups;
- No passcode or fingerprint protection.
We suggest choosing another app, free as well. Here is a list of alternatives:
- Authy (iOS, Android) — Recommended
- LastPass Authenticator (iOS, Android)
- Authenticator Plus (iOS, Android)
Here you can see a detailed analysis of these applications.
The CoinLoan team advises to pay attention to the Authy app. Here is the full list of benefits. We will name a few that became crucial to us.
- Authy enables synchronization of 2FA with all your devices.
- It allows you to lock the application with a passcode or a fingerprint. The person who gets your phone won’t get access to your 2FA codes.
- The most important is that Authy backups an encrypted copy of all your secret/recovery keys in the cloud. So they are available from different devices, and it’s easy to transfer them from one gadget to another.
Google Authenticator app does not provide such an opportunity, and this is its main drawback. There is no way to transfer a GA app with codes to dozens of websites from one phone to another. If the mobile device with the application is broken or lost, and the recovery key was not backed-up, you will lose access to your accounts.