2FA with Hardware Keys or Authenticator Apps
Two Factor Authentication Is Good but What Level of 2FA Do You Need
There are different levels of two factor authentication. There are some places you can sign in and the website will push out a time-limited code. It’ll come out either as an email or it’ll come out through a message to your phone. It could even go to another device with which you were also logged in to the same account.
It does offer some security extra on top of just having a username and password. The only thing is, if somebody steals your phone that also gives them access to that second factor of authentication. It’s not going to be enough, it’s a little bit too easy with regard the a man in the middle attack. Or a thief
The next level of two factor authentication protection will be to use a separate authentication app. You can put a password or a pin code which is different from your device login password to keep people out of that app.
Or you could have it Open up only with face recognition or other biometric locking mechanism like your fingerprint.
So if someone steals your phone they would need to know the password to your authenticator app which you have different to your log in pincode to the phone. If someone was shoulder surfing and saw you enter the password to the phone – Your important accounts still have another level of protection.
Have a look at the other video I made about using ScreenTime to add protection of your iCloud \ Apple ID. Another password to remember because it is different to the log in code for the phone.
But you know your iCloud account holds the keys to the kingdom. So you have to Keep it secure.
There are a number of these authentication applications like the Google authenticator, but I prefer to use the one called Authy.
You can also use 1Password the password manager to give you the TOTP codes. So long as you have that properly protected with a password different from what you used to login to your iPhone or whatever device.
If this is set up properly then this is going to be a good solution for most people.
The next level of two factor authentication is to use a hardware key like Yubico key. Trust Keys and Thetis are other options.
There is the Yubico authenticator which will give you the time based keys – only if you also plug-in or use NFC to unlock the application. I would highly recommend using one of these keys for your keys to the Kingdom accounts.
These are accounts such as your email accounts, bank accounts and something as important as your Apple ID. This will make it more difficult for people to lock you out of your accounts.
This is why you protect email accounts —
Often you will get an email asking if it was you who wanted to change the password on your email account. If someone has broken into your email account they might be able to say “Yes it’s me” to one of those emails – and do more damage. Locking you out of important accounts like banks.
What I like about using Authy or 1Password for the two factor authentication codes is that they are synchronised across devices. Also there is no limit to the number of two factor authentication codes you set up in the application.
This is in contrast to the Yubico authenticator which only allows you to have up to 32 accounts on one key.
Also you have to setup these per Yubico key. So it’s going to take more work to set up the two factor authentication.
I’ve also found that some accounts only allow one authentication key. It’s necessary and not just highly desirable to have duplicates of your Yubico keys. Just in case you lose one.
If the site only allows one hardware key. Make sure you have another method of getting in as a back up. This could be a list of one time keys you have printed and kept safe somewhere. You get these when you set up the 2FA.
I have three Yubico keys now. One key is kept in a safe place and is the back up key. Two of my keys work on USB A / NFC and the newest one I have bought works on USB C and lightning.
I have covered all the bases. Although I’m tempted to get another which is USB C / NFC.
When you set up a new account with your Yubico keys you have to do all the keys at the same time. So go get the back up key from the safe place and do that one too.
Apple will not let you set up hardware 2FA keys unless you have 2 keys. So bear that in mind when you are buying your first key. You have to buy two.
So decide what your level of risk is. Use the protection you think is necessary.
Some people who like going to bars where people can easily look over your shoulder as you put in the pin code to the phone could even consider using a burner phone which only used for these nights out.
Purely for phone calls and without any connections to online accounts.