🔒 Setup an Authenticator for Multi Factor Authentication

TYPE	AUDIENCE	PRIORITY	COMPLEXITY	EFFORT	COST	UPDATED
Preparation	🧑	⭐⭐⭐⭐	⭐⭐	🧑🧑	🆓	2021-06-28

Rationale

"Multi-Factor Authentication" simply means that you use at least two (multiple) ways (factors) of letting systems know that you are who you say you are (authentication). Services like Microsoft 365, Google Workspaces, Bitwarden, Gmail, Facebook, Twitter, Slack, WhatsApp can all be setup to require a second factor log in. Typically, a password is the first factor, and the second factor would to be something else, like clicking a link in an email, or typing in a code from you received in a text message.

While these factors offer some additional security, they are not as strong as using an authenticator app. An authenticator generates Timed-One Time Passwords (T-OTP) and typically refresh every 30 seconds. The service which is asking you to provide your T-OTP will know which T-OTP is valid, so once you provide a password as the first factor, and the T-OTP as the second factor you would be logged in.

This adds a significant level of improvement as an adversary no longer just needs your password, they also would need to get access to your second factor in order to log in. For example, if you are recorded by a CCTV or other camera typing in your password, it would have been compromised. But since T-OTP are only valid once and only for 30 seconds, even if they recorded your T-OTP, it would be useless after you used it yourself.

This also protects against risks where your password is leaked through a hack. For a service protected by multi-factor authentication, a password alone still would not provide access. So the best way to think this system is having not one but multiple locked doors guarding your home, so even if one of the keys is lost, anyone who finds the key still would not be able to get into your house.

Lastly, try and make the second factor about "something you have", as this adds the most security. Since a password is "something you know" and is stored digitally, it can be intercepted and used remotely. But if your second factor was, for example, linked to your phone, an attacker would need to physically get access to your phone to login to your account. This greatly reduces the possibility that an attack will successfully take over your system or accounts. There are also hardware keys like the Yubikeys which offer USB keys with internal T-OTPs - but they are quite expensive (~USD40 per USB key).

Instructions

What you should know

• Multi-Factor Authentication is sometimes abbreviated as MFA, Two-Factor Authentication (2FA) is sometimes also used to refer to the same concept, but limited to two factors instead of multiple.
• There are several "Authenticator" apps out there - Authy, Google Authenticator, Microsoft Authenticator, Duo, Lastpass Authenticator, and even Bitwarden. The core functionality is all the same, but the apps differ in their back-up mechanisms and the platforms which they support. On those grounds we will be using Authy in this guide, but you can pick another app if you are more comfortable with it.
• For a comprehensive list of all the services which support 2FA, see the 2FA Directory

What you should prepare

• Authy requires a phone number, so you will need one to sign up for an account.
• Since you are setting up an additional layer of security for your devices, ideally you would have access to all your devices, so you can set them up all in one go. So ideally you'd have your smartphone and your laptop available to you.

What you should do

1. Install the Authenticator

There are a sufficient number of free authenticator apps out there, so you don't need to pay for one. However, if you have 🔒 Setup a Bitwarden Account and got a paid account, T-OTP will be included. This allows you to avoid using an separate app, as you could simply use Bitwarden as your authenticator instead, as shown below:

However, if you have a free Bitwarden account - or are not using it - you will need a separate authenticator app. We recommend Authy. Authy is available across all popular platforms, so you can setup it up on your computer or phone. But we'll show an example of setting it up on a smartphone:

1. Download and install Authy from the Play Store or App Store.
2. Open "Authy" once it's installed
3. Enter the phone number of your device:
4. 
5. Next they will ask which account you want to associate your Autenticator app with - select your work account if you are exclusively using this for your work account, or your personal account if this will contain codes for both personal and work accounts.
6. 
7. Select your verification method - SMS message may be the easiest if you have the SIM card for the number you registered with in your phone.
8. 
9. Once you've entered your code and verified your account - that's it! you've setup your authenticator and are ready to add a second factor to your first service.

For detailed instructions for all platforms, there's Authy's official Getting Started Guide.

2. Important : Staying Secure with a Second Device

Requiring a second factor to login means that you will be required to have access to the second factor in order to login - of course! that's what adds the security! - but this means that you would always need your phone with you to login to your accounts.

This could conflict with other security advice, like not leaving the house/office with your sensitive phone on you. So, if you do not want to put your sensitive phone at risk, we recommend that you also install Authy on the device where you will be using it. But only if that device itself stays in the same location, and is at least as secure as your phone.

For example, if you need to login to your email on your work laptop in the office, but want to leave your phone at home, then you can also setup Authy on your laptop, and access the codes that way.

Let's also install it on a computer:

1. Download and install Authy for Desktop - just select "Windows 64-bit" if you are on windows, "macOS" for Macs, and "Linux" for any linux distro.
   • Note: For Chrome/Brave/Edge users, you can also use an extension from the [Chrome Web Store](https://chrome.google.com/webstore/detail/authy/gaedmjdfmmahhbjefcbgaolhhanlaolb?hl=en
     
2. Launch "Authy"
3. 
4. Provide the phone number you signed up with.
5. Select "Existing Device" if you have your phone with Authy available
6. 
7. Your desktop app will show that it is waiting for approval
8. 
9. Switch to your phone, and open the "Authy" app
10. 
11. You should have the New Device prompt, tap "Accept" if it shows your computer's name.
12. Because this is a BIG step - sharing all your security tokens with another device - it will ask you to confirm that this is what you wanted to do. Type "OK" and click "OK".
13. 
14. Congrats! You now have Authy setup on a second device.

3. Secure the App

By default, your tokens are not protected behind a PIN/password prompt, so let's secure the authenticator app itself:

1. Launch "Authy" on your phone
2. Tap the triple dot menu, and tap "Settings"
   
3. Tap "App Protection"
4. 
5. You will be prompted to set a PIN - follow the advice from 🔒 Generate Stong PINs, and add it to Bitwarden as a new Login profile.
6. 
7. Depending on what trade-off between security and convenience you are comfortable with, you can either decide to use a PIN code, or to use your fingerprint to unlock Authy
   • Important: We are assuming that you have followed the advice from 📱 Configure your Lock Screen, and have a PIN code setup for your phone. So if someone does get into your phone, it means that they already have physical access to your device and have either spent a long time to guess your PIN code (long enough for your passwords to be changed and the device to be remotely wiped, or access revoked), or they are coercing you to provide access. In either case using fingerprints to unlock the app does not weaken your security in ways it does when you use it to unlock your phone.
8. (Optional) Add your fingerprint to unlock Authy
9. 
10. (Optional) Next time you access the app, you will see this prompt - you can unlock Authy with either your fingerp
    

4. Backup your Tokens

Just like any data, you will want to back-up your tokens in case you lose your devices / phone number / PIN code to unlock them. Of course we hope that none of those things will happen, but we have to prepare for this possibility as the consequences of being locked out of your accounts (e.g. social media, email, banking) is really serious, so it makes sense to back them up and protect them with a strong password.

This feature also enables syncing your tokens between the devices, so it's quite essential to use it to avoid being locked out when you don't have a particular device available.

1. Launch "Authy" on your phone
2. Tap the "Accounts" tab
3. 
4. Toggle the "Backups" to "on"
5. You will now be prompted to provide a password to secure your tokens.
6. 
7. Important Since you may be adding Multi-Factor Authentication to your password manager (i.e. Bitwarden), it's possible that you first need to unlock Authy before you get into your BitWarden password manager! So instead of securing Authy with a password, we recommend that you 🔒 Generate a Strong Passphrase to use for your Authy backups, so it's easier to write down and type
   • Note: As you will only use this password when installing Authy on a new device, we recommend that you write this password down and securely store it offline.
   • Note: DO NOT use the same passphrase you've generated for BitWarden for Authy, as that would defeat the purpose of having a second factor on BitWarden!
8. Your tokens should now be backed up!
9. 

Excellent! Now it shouldn't matter which device you add your MFA token to, the syncing feature of Authy will ensure that this token is available to you where ever you have access to Authy.

Note, on your other devices you will be prompted to provide the new password, so go ahead and confirm it on all your devices with Authy installed

Restoring access to your passwords

So if you had lost all your devices, and you needed to start from scratch, how would you get back into Authy and Bitwarden to unlock your other accounts?

1. You would first install Authy on a device,
2. Restore a back-up with your Authy passphrase (stored offline),
3. Install Bitwarden on the device or use the web vault
4. Unlock Bitwarden's first factor with your master password (stored offline or from memory)
5. Use your Authy token to unlock Bitwarden's second factor
6. You now have regained access to all your passwords.

5. Add second factors to all your sensitive accounts

Now that you have an Authenticator app, you'll want to use it.

In our example we will add T-OTP to a Facebook account, but the steps for most services will be similar. Please 🔒 Setup 2FA for Facebook, for an example of how to secure your online accounts with 2FA.

For all your other accounts, follow the advice in 🔒 Use Multi-Factor Authentication.

Sources : ArsTechnica, GuidingTech