An Overview Of Multi Factor Authentication

Posted on by Dustin Fontaine

An Overview Of Multi Factor Authentication

Multi Factor Authentication has many acronyms, MFA, 2FA, TFA. And there are many different ways to implement it, though it is usually entirely dependent on the service what it supports. The idea though is that when you log into a site or service, you have to approve that login after you put in your password. Hence the other factor in the login process.

One note of caution, if you use a password manager, which you should, it is generally advised to set up your MFA elsewhere. This is because if your password manager becomes compromised then the attacker has your MFA codes as well.

So now the biggest question is what is the best way to go about it? You can set yourself up on an account-managed service such as Authy, or you can sign into Google or Microsoft authenticators if you use those services and have accounts already. You would then sync those codes with the respective account.

Though bear in mind this is a second passphrase to remember because you probably don’t want to store that account in your password manager (for the same reason mentioned above). Note, you can also use the Google/Microsoft apps without logging in. How much you trust that is up to you.

You can also go the independent route. If you are on Android you can install Aegis authenticator. This is completely local and does not rely on any services to log in. Though make sure you export your config and back it up somewhere, you can then import it when you get a new phone. Make sure you keep exporting new copies as you add accounts.

Here looks to be a similar iOS app, though I haven’t used it personally I have inquired with my iOS friends and they seem to be in agreement that it works as intended.

I’ve also found an online tool that allows you to put in basic TOTP information. Note that the secret key is part of the otp link that it gives per the example account.

Most sites will allow you to somehow try to enable the app non-automatically. Here is an example with Microsoft 365:

They then give you the information to put here, then that link should work in any TOTP app, including all the ones mentioned above. It also generates a QR code that can be scanned, again by most TOTP apps including those mentioned above.

This is super useful for documenting the important information then sharing it with others (say you have an admin account that your five techs need to access). Then they can all have their TOTP apps and don’t have to rely on someone being available when they need access to the account. They just pull up the site mentioned above, enter in the info, and scan the generated code into their respective apps. Alternatively you can take a screenshot of the QR code and save that.

Unfortunately, just like email filtering, not all sites and services are going to support this universal security protocol. Some sites still force you into either texting a code, or emailing a code. Or maybe not even have any form of 2FA.

I do recommend you set it up for as many sites as you can though, especially important sites (like banks) or frequently-attacked sites (like Facebook). If you combine my advice from my password post and my plus addressing post, you should have a pretty diversified portfolio in terms of login and security, which drastically lowers the chances of any random attack being more than a minor nuisance and a password reset. Of course there is no guarantee, using these methods in conjunction should considerably lower the probability.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>