🔒 Setup an Authenticator for Multi Factor Authentication

Preparation 🧑 ⭐⭐⭐⭐ ⭐⭐ 🧑🧑 🆓 2021-06-28


"Multi-Factor Authentication" simply means that you use at least two (multiple) ways (factors) of letting systems know that you are who you say you are (authentication). Services like Microsoft 365, Google Workspaces, Bitwarden, Gmail, Facebook, Twitter, Slack, WhatsApp can all be setup to require a second factor log in. Typically, a password is the first factor, and the second factor would to be something else, like clicking a link in an email, or typing in a code from you received in a text message.

Pasted image 20210628144036.png

While these factors offer some additional security, they are not as strong as using an authenticator app. An authenticator generates Timed-One Time Passwords (T-OTP) and typically refresh every 30 seconds. The service which is asking you to provide your T-OTP will know which T-OTP is valid, so once you provide a password as the first factor, and the T-OTP as the second factor you would be logged in.

This adds a significant level of improvement as an adversary no longer just needs your password, they also would need to get access to your second factor in order to log in. For example, if you are recorded by a CCTV or other camera typing in your password, it would have been compromised. But since T-OTP are only valid once and only for 30 seconds, even if they recorded your T-OTP, it would be useless after you used it yourself.

This also protects against risks where your password is leaked through a hack. For a service protected by multi-factor authentication, a password alone still would not provide access. So the best way to think this system is having not one but multiple locked doors guarding your home, so even if one of the keys is lost, anyone who finds the key still would not be able to get into your house.

Lastly, try and make the second factor about "something you have", as this adds the most security. Since a password is "something you know" and is stored digitally, it can be intercepted and used remotely. But if your second factor was, for example, linked to your phone, an attacker would need to physically get access to your phone to login to your account. This greatly reduces the possibility that an attack will successfully take over your system or accounts. There are also hardware keys like the Yubikeys which offer USB keys with internal T-OTPs - but they are quite expensive (~USD40 per USB key).


What you should know

What you should prepare

Pasted image 20210628150216.png

What you should do

1. Install the Authenticator

There are a sufficient number of free authenticator apps out there, so you don't need to pay for one. However, if you have 🔒 Setup a Bitwarden Account and got a paid account, T-OTP will be included. This allows you to avoid using an separate app, as you could simply use Bitwarden as your authenticator instead, as shown below:

Pasted image 20210628145603.png

However, if you have a free Bitwarden account - or are not using it - you will need a separate authenticator app. We recommend Authy. Authy is available across all popular platforms, so you can setup it up on your computer or phone. But we'll show an example of setting it up on a smartphone:

  1. Download and install Authy from the Play Store or App Store.
  2. Open "Authy" once it's installed
  3. Enter the phone number of your device:
  4. Pasted image 20210629145751.png
  5. Next they will ask which account you want to associate your Autenticator app with - select your work account if you are exclusively using this for your work account, or your personal account if this will contain codes for both personal and work accounts.
  6. Pasted image 20210629145850.png
  7. Select your verification method - SMS message may be the easiest if you have the SIM card for the number you registered with in your phone.
  8. Pasted image 20210629150026.png
  9. Once you've entered your code and verified your account - that's it! you've setup your authenticator and are ready to add a second factor to your first service.

For detailed instructions for all platforms, there's Authy's official Getting Started Guide.

2. Important : Staying Secure with a Second Device

Requiring a second factor to login means that you will be required to have access to the second factor in order to login - of course! that's what adds the security! - but this means that you would always need your phone with you to login to your accounts.

This could conflict with other security advice, like not leaving the house/office with your sensitive phone on you. So, if you do not want to put your sensitive phone at risk, we recommend that you also install Authy on the device where you will be using it. But only if that device itself stays in the same location, and is at least as secure as your phone.

For example, if you need to login to your email on your work laptop in the office, but want to leave your phone at home, then you can also setup Authy on your laptop, and access the codes that way.

Let's also install it on a computer:

  1. Download and install Authy for Desktop - just select "Windows 64-bit" if you are on windows, "macOS" for Macs, and "Linux" for any linux distro.
  2. Launch "Authy"
  3. Pasted image 20210629155031.png
  4. Provide the phone number you signed up with.
  5. Select "Existing Device" if you have your phone with Authy available
  6. Pasted image 20210629155119.png
  7. Your desktop app will show that it is waiting for approval
  8. Pasted image 20210629155354.png
  9. Switch to your phone, and open the "Authy" app
  10. Pasted image 20210629155524.png
  11. You should have the New Device prompt, tap "Accept" if it shows your computer's name.
  12. Because this is a BIG step - sharing all your security tokens with another device - it will ask you to confirm that this is what you wanted to do. Type "OK" and click "OK".
  13. Pasted image 20210629155620.png
  14. Congrats! You now have Authy setup on a second device.

3. Secure the App

By default, your tokens are not protected behind a PIN/password prompt, so let's secure the authenticator app itself:

  1. Launch "Authy" on your phone
  2. Tap the triple dot menu, and tap "Settings"
    Pasted image 20210629160544.png
  3. Tap "App Protection"
  4. Pasted image 20210629160621.png
  5. You will be prompted to set a PIN - follow the advice from 🔒 Generate Stong PINs, and add it to Bitwarden as a new Login profile.
  6. Pasted image 20210629160819.png
  7. Depending on what trade-off between security and convenience you are comfortable with, you can either decide to use a PIN code, or to use your fingerprint to unlock Authy
    • Important: We are assuming that you have followed the advice from 📱 Configure your Lock Screen, and have a PIN code setup for your phone. So if someone does get into your phone, it means that they already have physical access to your device and have either spent a long time to guess your PIN code (long enough for your passwords to be changed and the device to be remotely wiped, or access revoked), or they are coercing you to provide access. In either case using fingerprints to unlock the app does not weaken your security in ways it does when you use it to unlock your phone.
  8. (Optional) Add your fingerprint to unlock Authy
  9. Pasted image 20210629161353.png
  10. (Optional) Next time you access the app, you will see this prompt - you can unlock Authy with either your fingerp
    Pasted image 20210629161514.png

4. Backup your Tokens

Just like any data, you will want to back-up your tokens in case you lose your devices / phone number / PIN code to unlock them. Of course we hope that none of those things will happen, but we have to prepare for this possibility as the consequences of being locked out of your accounts (e.g. social media, email, banking) is really serious, so it makes sense to back them up and protect them with a strong password.

This feature also enables syncing your tokens between the devices, so it's quite essential to use it to avoid being locked out when you don't have a particular device available.

  1. Launch "Authy" on your phone
  2. Tap the "Accounts" tab
  3. Pasted image 20210629162159.png
  4. Toggle the "Backups" to "on"
  5. You will now be prompted to provide a password to secure your tokens.
  6. Pasted image 20210629162315.png
  7. Important Since you may be adding Multi-Factor Authentication to your password manager (i.e. Bitwarden), it's possible that you first need to unlock Authy before you get into your BitWarden password manager! So instead of securing Authy with a password, we recommend that you 🔒 Generate a Strong Passphrase to use for your Authy backups, so it's easier to write down and type
    • Note: As you will only use this password when installing Authy on a new device, we recommend that you write this password down and securely store it offline.
    • Note: DO NOT use the same passphrase you've generated for BitWarden for Authy, as that would defeat the purpose of having a second factor on BitWarden!
  8. Your tokens should now be backed up!
  9. Pasted image 20210629165048.png

Excellent! Now it shouldn't matter which device you add your MFA token to, the syncing feature of Authy will ensure that this token is available to you where ever you have access to Authy.

Note, on your other devices you will be prompted to provide the new password, so go ahead and confirm it on all your devices with Authy installed

Pasted image 20210629165349.png

Restoring access to your passwords

So if you had lost all your devices, and you needed to start from scratch, how would you get back into Authy and Bitwarden to unlock your other accounts?

  1. You would first install Authy on a device,
  2. Restore a back-up with your Authy passphrase (stored offline),
  3. Install Bitwarden on the device or use the web vault
  4. Unlock Bitwarden's first factor with your master password (stored offline or from memory)
  5. Use your Authy token to unlock Bitwarden's second factor
  6. You now have regained access to all your passwords.

5. Add second factors to all your sensitive accounts

Now that you have an Authenticator app, you'll want to use it.

In our example we will add T-OTP to a Facebook account, but the steps for most services will be similar. Please 🔒 Setup 2FA for Facebook, for an example of how to secure your online accounts with 2FA.

For all your other accounts, follow the advice in 🔒 Use Multi-Factor Authentication.

Sources : ArsTechnica, GuidingTech