SEARCH
diglloydTools™
2-Factor Authentication (2FA) for Securing your Computer of Phone or Tablet Logins
Related: Apple, Apple iOS, Apple iPhone and iPad, cyber social engineering, Don H, iOS, passphrase, password manager, security
re: cyber social engineering
re: 2-factor authentication
2FA = 2-Factor Authentication, a hardware device ("token") for login together with a a conventional login.
If thieves steal your phone your entire digital and financial life could also be stolen.
While thieves might also steal a 2FA device, such a device is easily hidden, and thus less likely to be stolen along with the phone/tablet/computer.
Reader Don H writes:
Do you have a recommendation for a 2-factor device?
MPG: excellent question. Standards have changed* and now there are general purpose 2FA.
Incredibly, very few financial sites support hardware 2FA devices and nearly all of them require a proprietary hardware token, making it a hassle to deal with more than one company.
For that matter, the vast majority of sites today have no support for 2FA hardware tokens.
The good news however, is that if you secure a password manager with a hardware token (eg 1Password on an iPhone), then theft of your phone is much less of an issue. The same applies to 2FA hardware tokens used with a password manager on computers.
General purpose 2FA hardware tokens are easy to use, but:
- With which service(s) does the device work?
- With which device(s) does the device work?
- Compatibility: USB-A or USB-C and/or NFC connectivity.
- How many 2FA devices? Consider two of them, in case one is lost.
Resources
Multi-Factor Authentication security key @AMAZON
- 2FA Directory (which sites support 2FA and how; many do NOT support hardware devices)
- 2FA device
- PCMag: The Best Security Keys for Multi-Factor Authentication
- ZDNet: I tested the latest hardware security keys, and these are my must-haves
It might come down to a specific device for a specific company in all too many cases. And some companies don’t even offer it; for example, I could not find any such option on Charles Schwab.
It all looks pretty sucky given that Schwab, Chase, etc all use proprietary tokens. Unless you have a specific use case, the Yubikey doesn't look useful, not in any general way.
Reader Don H writes:
I look into this every few years just to see if there’s been some usability breakthrough that makes it worth pursuing further, but after about three paragraphs of any review my eyes glaze over and I decide I can (continue to) live without it.
I’ll keep on using that crumpled-up Post-It note with all my passwords on it and type them in manually like a mediaeval scribe laboring over a manuscript. (Actually, I use 1Password 6 but I do manually copy and paste the passwords in because I refuse to install any browser extensions to save that step. Keep everything separate…)
MPG: I’m totally OK with a password manager on a desktop computer and a laptop with care, and copy/paste is fine but comes with a danger of leaving the password on the clipboard.
It sure looks like until and unless there is widespread adoption of things like Yubikey, I don’t see a use case for 2FA hardware tokens excepting very specific circumstances such as a brokerage account (eg Charles Schwab) or github, or similar.
* Some years ago PayPal sent me one, one of the old-fashioned battery-powered kind that continually displays the curent PIN code. I ended up never used it because I was traveling a lot, and I was worred about losing it and thus losing access to services I needed. But a further issue was that it was good only for PP.
