Two-Factor Authentication with One Time Passwords/Tokens (take 2)
[7-10 minute read]
Yesterday I wrote a post where I attempted to explain Multi-factor Authentication and by extension Two-factor Authentication (2FA) from (what I thought was) a very high level.
Multi-Factor Authentication involving TOTP
However since then I got feedback from a couple of people who read it and they told me it was still too complex. No names but one of my friends simply stated,
Hey buddy I didn't understood nothing
To be clear, this is not a failing on their part but rather a failing on my side, if my intention was to teach people stuff. And I guess it was. I said it was a "brain dump" but then I did share it with others, so obviously I expected it to be understandable to more people than just myself.
So here is my second attempt, where I will try and reduce this down further. Wish me luck, as I will probably fail… again. 😆
What is 2FA?
2FA means that in addition to the normal, self-selected password (that almost all websites use), you have some other way for the website to double-check who you are. This is often done with a "TOTP app" or "Token-Based Authenticator", which is normally installed on your smartphone. That app on your phone is the "second factor" (with your normal password being the first).
TOTP is a term that gets used often when speaking about 2FA and it stands for "time-based one time passwords". They are called "one time passwords" (OTPs) because every 30s (or so) they change. You can use them once and then you need a new one. The app on your phone tells you what the current one is.
☞ Many sites will call "one time passwords", "tokens" instead. This is probably to avoid confusion with (regular-style) passwords.
Since you are getting this token from an app on your phone, if you do not have that phone (and app), you cannot login to a site that is setup to use 2FA.
How is 2FA setup with a TOTP app?
The process of setting up that second "factor" typically works like this:
- You login to the website as normal and request to setup 2FA, which is sometimes alternatively called Two-Step Verification (2SV).
- The website generates a bit of text that they tell you (and only you). Often called a "key" (or sometimes "code", "seed" or "secret"). Normally they will provide this key embedded within a QR code [a form of 3D barcode].
- You install the special TOTP app (Token-Based Authenticator) on your phone and scan this barcode.
- The website will also likely offer you some "backup codes" (see § 'What if I lose or upgrade my phone?' for details of what these are and what to do with them).
How the 2FA login process works with a TOTP app
When you want to login to the website next time, it asks for the normal password, which you enter from memory (or if you use a password manager, you get it from there). Next it will ask for the "One Time Password" (or Token). You can then look at the app on your phone and copy over the current one that the software has generated. Because the website also has a copy of the same key (they gave it to you in the first place after all), they can use their own software (with that same key), to generate a matching token. If they do both match… you are in!
What if I lose or upgrade my phone?
Since your copy of the key was stored in an app on your phone, if you lose the phone you cannot login. To prevent this, the site likely also gave you some "backup codes". Typically they will give you between one and ten of these. They are short little pieces of text that you can use to login instead of the generated tokens, for emergency situations. Normally sites will tell you to "store these securely"… but without telling you how. 😆
They often do not want to say how because there are several pitfalls, and nobody likes to get stuck in messy details! But let's discuss a few anyway:
- If you save the backup codes on your phone and your phone is stolen, they will not help… since… you know… you don't have the phone anymore. 😆
- If you save them on your desktop/laptop in a regular (i.e. non-encrypted) file, that is generally not considered secure.
- If you email or SMS them to yourself, then you risk exposing them because these are not normally secure transfer methods.
You could encrypt a file containing them, print them out¹ or just write them down and store them somewhere safe in their house (like… 'a safe'). Depending on how paranoid you are, you may also want to make a copy and store them at the home of a trusted friend or family member. Then you can still access everything even if your house burnt down. I am just saying. 🤷🏼
You need to decide what is a safe way to store them, that works for you, taking into account the various risks. It is annoying but spend some time thinking about it now and you will save yourself a lot of hassle in the future. Don't be tempted to just think, "I do not need them". Depending on which TOTP app you use, you may even need them when upgrading your phone, which is something everyone does eventually. This is because many TOTP apps do not provide a way to securely transfer your keys to the new phone.
☞ For a lost, stolen or compromised phone, reset the 2FA settings for all sites that had TOTP keys configured on that device.
Back up your keys
It is also very worthwhile "securely storing" the original QR codes that you scanned with your phone during the setup stages, or at the very least, carefully noting down the raw keys (along with the name of the respective accounts they are associated with). This will make things a lot easier for you in the future. You can then just quickly scan (or type in) your saved keys in the TOTP app on your new phone.
For comparison, if you wanted to use backup codes, you would need to do the following for each and every site you had previously configured: log in and find the account security settings; temporarily disable 2FA; perform the entire 2FA setup process again.
There is an argument to be made that if you have the original keys, you do not need backup codes but I would suggest you take both to give yourself more options. For example, the backup keys can be used directly whilst you await a new phone, while the key must be added to a TOTP app first, before it is usable.
When selecting a TOTP app, consider the options
While many TOTP apps will not provide any way to backup, export or sync the keys, to get them onto new (or multiple) devices, that is not universally true. Syncing your TOTP keys to a second device (so long as the method is secure) is very handy. If your phone is lost or stolen but you have another app already configured on your desktop with a recent sync of these keys, you won't need to use those backup codes to gain access when resetting your 2FA-enabled accounts (though please keep backup codes safe anyway, just in case). On the other hand syncing them to a multitude of devices increases the likelihood that someone who should not have access, gets access, if any one of these devices is compromised.
Again, decide what is best for you. Something to keep in mind, which is worse… having accounts compromised or being permanently locked out of the accounts because you cannot access your phone or your backup codes?
If you just want a couple of quick recommendations:
Aegis Authenticator [Android]
Raivo OTP [iPhone]
And that, my friends, is it… for now… … well at least until someone tells me this was still too confusing! 😉
¹ If you do not have a printer and do not know how to encrypt files, another option would be a small, external USB disk. You could save backup codes, raw keys or screenshots of the setup QR codes to this. Keep the disk somewhere safe and secure in your home. Only connect it to your computer when you want to update the files or need to display them (e.g. if you want to re-scan QR codes into a new TOTP app on your phone).
🔙 Gemlog index
🔝 Capsule index