Securing your Internet Accounts — part 2

In previous story we have discussed about the background. Now let’s discuss on 2FA/ Two-Factor-Authentication.

The point of how 2FA works is by verifying directly to the account owner, whether is actually “them” who tried to login.

The verification method may vary, depends on the feature offered by the website, or depends on what you choose (if there are multiple options)

Could be using SMS. A code will be sent to your phone. The same code you have to enter on the site within limited time period, otherwise it will expire.

Could be using Email code. A code will be sent to your mail account. Therefore — please do not, ever, set same password for all of your accounts.

Could be using generated code, we will call this Authenticator. On your smartphone or PC, you have to install Authenticator (or similar) application. To login, you need to check the code produced by this application at that time. The time window is short, between 30s to 1 minute. After that the code changes.

What would be the better option?

If you ask me, I would propose to use Authenticator.

• SMS is dangerous if you lost your phone, or if your SIM card got cracked/ duplicated.
• E-mail is dangerous if you lose access to your email.
• Authenticator, you can add additional password layer so that if somebody gets a hold of your smartphone, they still cannot open the Authenticator app. Other benefit is that you can even open in your PC/ laptop.

But again, the option goes back to you.

For now, I will discuss the 3rd option, Google Authenticator you can download for free in Play Store or in App Store (iOS). It looks like this:

The default option of GA (Google Authenticator) has no password to open. But you can use additional password layer. I think certain smartphone like Xiaomi already supports this by default. Or if not available, you can download additional app like “AppLock” like this one:

AppLock is very useful, you can lock any application with additional password, for example you want to lock Netflix from being opened by kids, or lock your gallery to be opened by friends. And of course it can be used to lock GA.

So, how to enable 2FA in Facebook?

You need to go to settings -> Security and Login, there you will find 2FA settings. Or you can open the address: https://www.facebook.com/security/2fac/settings

To enable 2FA for google mail, go to https://myaccount.google.com/security

If you choose 2 Step Verfication with Authenticator App in smartphone, Facebook or Google will show a barcode. You need to open Authenticator in smartphone, click new (Add , or + Plus button), choose scan barcode.

After scanning, your 2FA data will be stored and it will show you a newly generated code. Enter that code back to Facebook/ Google. The reason is, the website wants to verify if your 2FA is already in sync (both websites and your phone agreed and produced the same sets of numbers). If the 6-digits code you entered matches the one that FB/ Google thinks, 2FA will be enabled.

FB/Google will then provide you with backup codes. You need to store this backup codes somewhere SAFE, offline. If you ever lost password to 2FA app and cannot login, you will need the backup codes.

haRies, where do you store backup codes?

I don’t. I didn’t save them 😆

The reason is that, I have multiple Authenticator backups, therefore I am not afraid of losing either one. For this one, I will elaborate more in other story.

How about the process of setting up 2FA for other sites or social media ?

If other sites provide 2FA, then the process will be very similar, just go to either security settings or similar name, you should find it there.

What if other sites do not have 2FA ?

It means the security in that site is not that guaranteed. You can still use it though, just don’t put anything serious there and be prepared to lose it someday.

Any other tips?

Sure:

• Always use strong password with combination of upper case, normal case, letter, and special character, and ensure at least it has 8 characters or more. If you are thinking a word “gold fish” — you can transform it into password “G0ld f!sh”. The longer the password, the safer, but also more difficult to remember. Just pick between 8–12 characters.
• Do not pick easy to guess password, like your name, your child name/ birth date, your girlfriend name, your ex girlfriend name (oops), etc. Pick something that is totally not relevant with you.
• Be careful when you are asked to re-login. Always check the address bar if you are using web browser, whether it is correct site address, and whether you see GREEN Lock Sign (well sometimes they are not green — just ensure the lock is not strike-through). If you are using app — always be cautious, the app like Facebook WONT EVER ASK YOUR PASSWORD AGAIN only to see ̶s̶e̶x̶y̶ content. Unless you want to change some serious security settings, then it will ask.
• Do not open website contains sensitive information in public. If you really really really have to, ensure there is no CCTV or person behind your back.
• Never use public wifi to open sensitive sites. (Although the possibility is small to crack using this).
• Lastly, almost all applications require your email. Therefore your email becomes your main identity and at any cost you must not lose it. Ensure you have 2FA for your email, and ensure nobody can see the mailbox but you.