INTERNET SAFETY UPDATE: Armor up: 2FA/MFA — why you need it | Community

Back in the mid-1980s, when I began my journey with computer electronics, people didn’t have multiple online accounts like they have today. If you had any sort of computer-related “account” at all, you were probably associated with a government agency, a research facility, or some type of academia, using ARPANET, CSNET OR NSFNET, the predecessors to the modern Internet.

Alternately, if you were like me, and limited to more modest computer aspirations, you used a “home” computer (mine was a Commodore 64) and you connected to “Bulletin Board Systems,” which were akin to modern websites, using a dial-up modem over telephone networks. You could also subscribe to consumer-oriented network services like FidoNet or Compuserve, who charged by the minute.

To access all these wonderful technologies, you used, much like today, an “account,” which consisted of a user name (either assigned or invented by you) and a password. Those two things unlocked all the online doors there were. Password requirements were simple; security was not a huge consideration, and online crime was relatively rare.

Fast forward to today, and things have changed dramatically. Even though online crime has exploded to colossal pandemic proportions, we are still using usernames and passwords. Even though password requirements have become more stringent, and security has come front and center, we need more in the fight to stay safe on the Internet; usernames and passwords are no longer enough. Enter 2FA and MFA.

Two-factor authentication (2FA) and multi-factor authentication (MFA) are terms essentially describing the same thing: a way of presenting additional evidence (called “factors”) in order to prove you are who you say you are when you try to sign in to an online service. The whole process is called “authentication,” i.e., you are bona fide, or “authentic,” the real “you.”

The old username/password model only uses one “factor,” that being the password. One reason for having another “factor” is that so many password databases have been hacked and exposed to anyone who wants to look. Some people are also guilty of using weak, easily-guessed passwords which they never change. Yet another reason for needing another “factor” is too many people using the same password for all of their accounts. Having more factors makes it more difficult for the wrong person to access an account.

Factors include something you have (like a bank card), something you know (like a password or PIN), something you are (biometrics, like a fingerprint or other physical characteristic unique to you), and somewhere you are (such as connected to a specific network, or location information like GPS).

The most common use of multifactor authentication is being sent a code in a text message on your phone when you try to login to an online account. For example, you sign in to Amazon by providing your password (the first factor). Amazon texts you a code that you must enter (the second factor), and then you are allowed to use your Amazon account.

Unfortunately, even though still widely used, text messaging as a way to get MFA/2FA codes is no longer advised. The Internet bad guys have figured out too many various ways to hack the text method. Microsoft actually issued an alert last November saying that, because of security concerns, people need to move away from text message-based 2FA and start using authenticator apps like Authy, Microsoft Authenticator, or “secure tokens” like YubiKey. 

Out of all the “authenticators” out there, my favorite is Authy.

Invented by business communications company Twilio, Authy combines ease of use with enhanced security. The Authy website (www.authy.com) has very helpful guides on how to use it with pretty much any online service you can think of. I’ll use Amazon as an example.

First, you install Authy. I do my logging in to sites like Amazon on regular computers, PCs and iMacs, never on a phone. I will, however, use the phone as the authentication generator device, and Authy on the phone show me the code I need to log into Amazon. Visit the Apple Store or the Android Store. Authy works great on both Apple and Android phones.

After it’s installed, Authy will want your phone number, and will send you a code. Then, you’re ready for the next part.

Sign in to Amazon on your computer. Go to Account settings, and Two-Step Verification settings (Amazon calls it 2SV). First, clear any old 2SV settings; I had to remove my old text message-based settings. Click Disable, then check the box next to “Also clear my Two-Step Verification settings.” It sounds a little scary, but that’s how the process works. Then, re-enable two-step verification, but this time, select Authenticator App as your preferred method, instead of phone text.

Next, Amazon will display a QR code (those weird squares with the tiny oddball blocks in them). Open the Authy app on your phone. Select “Add a new account,” and scan the QR code with your phones camera; grant access, if asked.

Invent a Secure Backup password when Authy asks you to. This is your Authy password; it needs to be long and strong. Write it down and keep it in a secure location. Don’t ever, ever lose it.

Tell Authy your phone number when prompted. Pay attention to the notices on both the phone and the computer. Eventually Amazon will give the go-ahead to start using Authy as your 2FA method. The process is actually easier than it sounds.

Now, when you sign in to Amazon on your laptop, or any computer, for that matter, the Authy app on your phone will be told by Amazon to generate a code which the phone will display. You enter the code on the Amazon login, and you are signed it. Voila. Welcome to modern Internet security.

Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org