Some background for the uninvited
Two Factor Authentication (2FA) and it’s more serious cousing Multi-Factor
Authentication (MFA) is a way of protecting your access in more than one way.
In the traditional world, it means that only you have access to your credit card
and its four digit PIN, only you know which bicycle or home is yours and carry
the key to the lock, that only you carry your ID or password and look
sufficiently like the person on the photo. These days, things are a
little bit more complicated.
These days, your data is what makes your phone or computer yours. All the
email, all your work, all those documents, the instant messages, the social
media … this combination of stuff is what makes your gadgets uniquely yours.
Which is why they’re worth protecting. And to protect them better than just
hiding them in your drawer or using a password. This we do with requiring more
than one way, or in technospeak, authentication factor.
There are several popular ways of MFA, some of which suck. Many web services
will send you an email to click to prove you’re you. What this proves is that
you have an email address, you were able to spell it out correctly, and that
you’re able to respond to email. This is really popular with password resets.
Several services require you to authenticate using your phone number (Twitter,
WhatsApp). Some will send you an SMS with an authentication string when you want
to log in somewhere, or send you your new password. This is really unfortunately
if somebody’s just nicked your phone or your SIM card. I’d like to say that SMS
authentication is better than nothing, but it’s not much better.
You can have an authenticator app on your phone or a “hardware token”, which
basically is just a thing that looks like an USB memory key but won’t store your
docs or pictures. Those are the best, but they do come with a few drawbacks,
caveats and gotchas.
The problem with 2FA and how to cope with it
A 2FA token is meant to uniquely prove that you are you. That’s all nice and
dandy until you lose hold of your 2FA token. If you’re a Messy Person like me,
you are bound to lose your keys one day (you’ll probably find them again, but in
between you’ll be pretty miserable), you’ll break your phone or it just runs out
of battery when it shouldn’t. Or you’re travelling (once the Plague is over) or
at the countryside house doing remote work, the 2FA fob is at the bottom of the
lake and your backup token is 340 km away. Well, oopsie-doo. You have a problem.
It’s not so much a problem with 2FA itself, it’s how you deal with things once
you no longer have access to that second factor. It’s really just a feature of
2FA, and 2FA doesn’t really discern whether it you or somebody else that doesn’t
have your second authentication factor.
Here’s a tip that lets me sleep tighter. Think what would happen if you would
lose your 2FA method. And then think of how you’d solve it. Then test your
thesis. Learn and refine. Security folks call this Threat Modelling, and it’s
really quite a fun exercise if you take it that way.
Have several 2FA methods. I have more than one hardware “token”; one that i
carry with me and one which is at home. I’m pretty sure i know where my backup
token is… I also use authenticator software on a mobile device (tip: it’s not
my daily driver phone). Sadly it seems you can’t have more than one
authenticator software configured per service, so if i lose the phone which
carries my authenticator app, i have work ahead.
Finally, all services with 2FA provide backup codes. Copy these into your
password manager – but realise that since your password manager also is using
2FA (or will be, right after you’ve read this), you might be locked out of in a
really twisted, multi-layered fashion. For this, consider having the backup
codes for your password manager on actual paper, saved somewhere at home,
without the header “Password Manager 2FA Backup Codes” … just in case.
« Ansible secrets and vaults