Two Factor Authentication


Background


Two-factor authentication (2FA) is a security feature that can be added to almost all accounts to prevent attackers from getting in even if they learn the password. When enabled, after entering a username and password on a new device, a user will be asked to confirm their identity using some other “factor,” which can be something they know (e.g. a PIN), something they have (a security key), or something unique to their body (a fingerprint). Most people choose to enter a code from their phone.

Why is two-factor authentication important?

Because it is very effective. Recently, IBM obtained video of Iranian government hackers attacking American accounts. They found that the attackers skipped any victim that had 2FA set up because of the increased difficulty of penetrating those accounts.

Which accounts need 2FA?

Unfortunately, hackers do not care about the distinction between personal and work life, so it is important to enable 2FA on all regularly used accounts.

Types of two-factor authentication:

1) Security Keys: Most Secure
A physical device that plugs into your computer. These cost about $20 but are free for federal campaigns through DDC.

U2F.USB-Token.jpg

2) Authenticator Apps: Next Best Option
An application that produces push notifications or codes which can then be used to unlock accounts.

3) SMS / Text Messages: Least Secure
Text messages that contain codes which can then be used to unlock accounts.

Screen Shot 2020-11-11 at 4.20.54 PM.png

Google recently studied account takeover attempts where the attacker knows a user’s password using a variety of 2FA methods as defenses (shown at left). They found that text messages stopped 76% of targeted attacks, authenticator apps stopped 90%, and a security key stopped all attacks.

Note: Any form of 2FA increases security compared to just using a password. Without any 2FA, all of the attacks studied would have been successful. Even though SMS is one of the least secure second factors, it still makes accounts significantly safer than having no form of 2FA at all.


Installing an Authenticator application


There are many free and secure authenticator apps, including ones made by Google and Microsoft. Authy is a secure authenticator that comes with many new features, including backups of codes, simple search functionality, and automatic logos for each imported account.

Authy can be downloaded for iPhone, Android, or your computer.

Some websites will only give an option for specific authentication apps, whether that is Authy, Google Authenticator, or Microsoft Authenticator. These instructions can be safely avoided; any of these authenticator apps will work for any website.


Instructions on how to enable 2FA


The rest of this guide is instructions on turning on 2FA on some of the most common accounts. Instructions for almost every account are available on the website twofactorauth.org or authy.com/guides/.

Below, this guide covers Gmail, Apple ID, Facebook, Twitter, and LinkedIn. These instructions are up-to-date as of October, 2020. The exact steps may change in the future - if so, please use either of the links above to contemporaneous guides.

Gmail

  1. Click this link to begin enrolling.
  2. Sign in if not already logged in.
  3. Click “Get Started”.
  4. Enter password again and click “next.”
  5. Gmail displays 3 options for 2FA. First turn on text message 2FA. Then you can add a more secure option after.
  6. Enter phone number, choose whether to receive the codes through a text message or a phone call, and click “next.”
  7. You will receive a text message containing a number. Enter that number into Gmail where it says “enter the code.”
    Select “Turn on.”
  8. Congratulations! 2FA is enabled. Your phone is now a second authentication method for logging in to Gmail. Continue with some of the additional options to download backup codes and further secure your account.
    Scroll down to see these additional options:
  • Backup codes
  • Google prompts
  • Authenticator app
  • Backup phone
  • Security Key

Click any of the options above and Google will walk you through the process. Here are instructions for the authenticator app “Authy”.

  1. Under Authentication App click “set up”.
  2. Select iPhone or Android. Click “next.”
  3. In the App select “Set up account.”
  4. Choose “Scan barcode.”
  5. Launch authenticator app (e.g. Authy).
  6. Click “Add Account,” hold the phone up so that the camera is over the QR code.
  7. On the computer click “next.”
  8. On the phone you should see 6 numbers pop up. Enter those 6 numbers on the computer.
    Note: If the numbers don’t work, try again. The codes have a time limit.
  9. Congratulations! You're all set. From now on, you'll use the authenticator app to sign in to your Google Account.

Apple ID

Note: If you have a Mac and an iPhone you only need to turn on two factor authentication for Apple ID on one of these devices. Turning it on in one location turns it on in all locations.

iPhone

  1. Go to “Settings.” Click on your name at the top.
  2. Click “Password & Security.”
  3. Click “Turn on Two Factor Authentication,” click “Continue”.
  4. Enter phone number. Click “Next.”
  5. Apple will send a verification code, enter that number where prompted.
  6. Enter password (the number you use to unlock your phone).

Mac

  1. Click the Apple in the upper lefthand corner and go to “System Preferences.”
  2. Click either “Apple ID”
  3. Click “Password & Security.”
  4. Click “Turn on Two Factor Authentication...”, click “Set Up Now.”
  5. The computer will guide you through the rest of the process through a series of prompts.

Facebook

These instructions are for the computer, but 2FA can also be set up through the phone.

  1. Go to Facebook and log in to your account.
  2. Click the down pointing arrow in the upper right hand corner, click “Settings.”
  3. Click “Security and Login.”
  4. Click “Use two-factor authentication”, click “Get Started.”
  5. Either the phone or an authenticator app can be used as a verification method. We recommend using an authenticator app.
    Select “Authentication App”, click “Continue.”
  6. Open Authy, click “Add Account.”
  7. Scan the QR code, click “Done” or “Save.”
  8. You’re all set!

Twitter

  1. Go to Twitter on the computer, click “More” on the left hand side, click “Settings and privacy.”
  2. Under “Account” click “Security.”
  3. Click “Two-factor authentication,” click the checkbox next to “Authentication app.”
  4. Click “Start” then enter Twitter password, click “Verify.”
  5. A barcode should pop up, open Authy on the phone, click “Add Account.”
  6. Scan the QR code, click “done” or “save.”
  7. Go back to Twitter, click next, enter the authentication code where prompted.
  8. Click “Verify.”
  9. You’re all set!

LinkedIn

  1. Go to LinkedIn on the computer.
  2. Click “Me” in the upper righthand corner under your icon and click “Settings & Privacy.”
  3. Click “Account.” click “Two-step verification.”
  4. Click “Turn on”, choose “Authenticator App,” click “Continue,” if prompted enter password.
  5. In Authy scan the QR code, click “Done” or “Save.”
  6. Go back to LinkedIn, enter the authentication code generated by the app.
  7. Click “Continue.”
  8. You’re all set!