As safe as a bank locker. One key with the bank and another with you.
Yes. Two-Step-Authentication gives you exactly this feature with a change that both the keys are with you. So even if one gets access to your first password, he still cannot log in or hack into your system. It has become a de facto with any web based service who cares little about data security. Goes without saying that if a service does not support this, they are not serious about data security and your should seriously think about continuing to use them.
So what is this Two-Step-Authentication anyway?
When you signup to a service for example, Gmail or Facebook or Dropbox, you are required to set an account password. This is the first level security. If you have not given a complex password then it is very likely that with few guesses or using a brute force algorithm, someone can successfully guess your password and gain access to your account. This is one of the ways to hack your password. There exists many other ways to hack some’s account. Another most popular one is free-wifi. You might feel very lucky that you got access to a free wifi at public cafe. But you never know if the supplier of free-wifi access point is tracking and storing all the incoming / outgoing traffic or not.
With Two-Step-Authentication, we set a second password which in most cases keeps changing every 30 seconds. This way your account gets two level of security. First with a static password which you set at the time of signup and second which keeps changing every 30 seconds. So even if someone could successfully guess your first password, he will be blocked when the second level password is asked and will not get access to your account.
How to setup Two-Step-Authentication?
Lets see how to setup two-step-authentication for your Gmail account. Other accounts like Facebook, Twitter, Dropbox should have similar setup.
To setup, once you are logged into your gmail account, go to security section under myaccount.google.com. Scroll down to “Password & sign-in method” and choose “2-Step Verification” option. You might be asked to re-enter your password which is ok. Gmail supports below types of two-step-authentication:
- Backup codes
You will be presented a set of 10 pre-generated codes which can be used for 2-Step Verification. You can copy or save or note it down in your notebook. Each codes works only once. So once you have used one of them, do remember to strike them off. Also remember to generate the new set of codes before the 10th code is been used. This is a very manual way and still can be the best way as you only knows where you have saved those backup codes.
- Voice or text message
In this option, you set up a mobile number. When needed, google will send you a SMS or if you are not able to receive SMS for some reason, you can also request a call back. In the SMS will contain the 2-Step Authentication or in the call back, the code will be played. Enter the code and you are done. This is also a secure way with the danger that if you have lost your phone or number then only way to fall back for your 2-Step Authentication is using the Backup codes which you generated in the first step.
This option is handy where you don’t have to remember the backup codes or manually manage them. Side effect is, so far SMS reception is free. You never know when google or your operator will start charging for this service. Also, when you are international roaming, SMS messages arrive late and a callback will be very costly.
- Authenticator app
If you have a smartphone (Android or iPhone), then you can install GoogleAuthenticator or Authy app. Once you have installed the app and choose this option, you will be presented with a bar code. Launch the app and scan the code. Once the scan is successful, you will be presented the 2-Step Authentication code which changes every 30 seconds.
Highly recommended. Always works. No need to worry about receiving sms or call while roaming or managing the backup codes manually. What happens if you have lost your phone? You fall back to Backup codes :). A point worth mentioning is that Authy also has desktop apps. So if I have forgot my phone, I start the Authy in my desktop and generate the codes.
- Google prompt
If you have a smartphone and have configured a gmail account then you can use this option. Follow the setup instruction and once setup, every time you try to login, google will prompt you on your configured phone to allow or disallow the login attempt.
Very easy and highly secure. If you have lost your phone, you already know by now :). Fall back to Backup codes.
- Security Key
So far what we have seen is software based 2-Step Authentication. This option gives you hardware based authentication. You can buy a usb smart card with cryptography functionality in it. I use Hyperfido Mini (U2 °F Security Key). Currently this device works only with Google Chrome browser. So if you are using some other browser, you need to find a compatible device. It is like a usb dongle but not to store data but to randomly generate 2-Step Authentication tokens. Follow the on screen options to setup this device and from next time onwards, all you have to do is, push a button when you try to login.
It is not water proof and you may easily forget it unless you tie it to your home key-chain :).
That was all you had to do setup 2-Step Authentication. Obviously you don’t need to setup all. One of them is good enough but I use all possible combination so that Google can offer me multiple ways to authenticate my 2-Step login attempt. If I have forgot my Security Key, it falls back to Google prompt. If I have forgot the phone in which I have setup Google prompt then to the Authenticator App. And so on. So more options your account has to perform 2-step authentication, the more secure your account is.
That was a long write-up. I hope it will help some of you. If you have enjoyed the reading then feel free to share it to your friends via facebook or twitter. I also welcome and feedback or suggestions to improve the article for easy understanding.