A look at the most commonly used passwords
Danny Palmer and Karen Roby sit down to discuss the most commonly used passwords people are using and how not to fall into the trap of repeating the same password every time. Read more: https://zd.net/2UWyu78
Adding multi-factor authentication (often called two-factor authentication, or 2FA) to important online accounts is probably the single most important security precaution you can take. It takes just a few minutes to set up, and the result is a layer of protection that will prevent intruders from intercepting your email, stealing funds from your bank account, or hijacking your social media.
In this post, I describe the most basic form of 2FA, which uses an authenticator app installed on a mobile phone to provide a secondary form of proof of identity when necessary. In that case, the two factors are the classic “something you know” (your sign-in credentials) and “something you have” (the mobile device that you’ve configured with a shared secret). The combination of those two factors sets the proof-of-identity bar high enough that your average thief won’t be able to get over it.
When you use your credentials to sign in on an untrusted device, the service demands that you enter a Time-based One-time Password Algorithm (TOTP) code generated by that app or respond to a notification on the device. After passing that challenge, you can typically designate a personal device as trusted and skip the codes for future sign-ins.
Most people choose a single 2FA app and use it for every service. My configuration is a little different, because I have two phones that I use interchangeably, and a greater-than-average number of online accounts on which 2FA is enabled. I’ve settled on a security setup that uses three separate authenticator apps, each one with its own specific security role to play.
That setup might sound confusing in theory, but it solves several problems elegantly, and it isn’t the least bit annoying in practice. The same regimen might work for you.
Here’s the tl&dr: If you’re protecting Google accounts, use the Google Authenticator app. For Microsoft accounts, use the Microsoft Authenticator app. For all other accounts, use either of those apps or chose a third-party alternative like Authy, which allows you to back up and restore your security configurations so you can remain secure when you switch phones.
Allow me to introduce these three apps, with details about the unique strengths of each. All three are completely free and are available for iOS and Android platforms.
Google Authenticator
Apple Store listingGoogle Play Store listing
If you go to just about any online service that supports the six-digit TOTP codes that are at the heart of 2FA, this is the app you’re instructed to download. The dirty little secret is that there’s nothing special about the way the Google-branded Authenticator app generates those codes. For third-party apps and services, you can use any of the three 2FA authenticators I describe here.
Where the Google app shines is, naturally, when protecting sign-ins to your Google accounts. That includes both personal accounts (Gmail, YouTube, and other consumer services) and G Suite apps managed by an organization.
To set up 2FA on a personal Google account, go to https://myaccount.google.com/security and click 2-Step Verification, as shown here.
The default option, a Google Prompt that you respond to on your mobile device, doesn’t require the Authenticator app at all. If you’re signed in with the corresponding account on an Android device or in the Gmail app on an iPhone, you can respond to the prompt, as shown on the left below, and sign in.
To set up the Authenticator app for the first time, use its option under the Set Up Alternative Second Step heading. Open the app, click the + button to add your account, and scan the QR barcode. Enter the six-digit time-based code to confirm that you’re set up correctly, and you’re done.
If you can’t receive the prompt, for some reason, or if you prefer another authentication method, click the Try Another Way To Sign In link, which allows you to choose one of the options you set up previously, as shown on the right below.
The interface for setting up and responding to authentication options is the same for G Suite accounts, although an administrator has to enable the feature from the G Suite admin console, where they can also limit the types of authentication allow and tighten security by turning off the ability to trust a device or to receive codes via SMS or a phone call.
To set up third-party 2FA accounts in the Google app, click the + button and scan the bar code or manually enter the setup information. You can use codes generated here for any TOTP-based 2FA proof.
Although you can install the Google Authenticator app on multiple phones, you can only use one device at a time, and you can’t share accounts between devices. You can move your existing accounts to a new phone, but there’s no supported way to back up and restore configurations.
Microsoft Authenticator
Apple Store listingGoogle Play Store listing
Related Topics:
Apple
Security TV
Data Management
CXO
Data Centers