How to make two-factor authentication less of a pain

You probably know by now that you should never use the same password in more than one place, and that each of your passwords should be strong enough to resist an automated attack. Perhaps you use iCloud Keychain, or a third-party password manager such as 1Password or LastPass to generate random passwords, store them, and fill them in automatically. But all that may not be enough if a site suffers a security breach that reveals its users passwords to an attacker--sadly, a frequent occurrence.

At the moment, the best defense against such attacks is two-factor (or two-step) authentication, in which you need more than just a username and password to log in on an untrusted device. You also need a second element, which often takes the form of a numeric string sent by SMS and so foils any attacker who has your password but not your phone. Most major Internet companies offer two-factor authentication as an option--you can read how to set this up for your Apple ID (which now applies to the iCloud website as well), Dropbox, Evernote, Facebook, Google, and Twitter, for example.

The problem with two-factor authentication is that it's a bother, requiring an extra, manual step. Usually you have to do this only once per device or app, after which point ordinary logins work, but even so, it's a pain. Here are a couple of ways to reduce that inconvenience.

Use an authenticator app

Many services that use two-factor authentication let you use an iOS app--in lieu of SMS--to obtain that secondary authorization code. (This option is handy because SMS isn't always reliable or prompt, it's useless in locations where you have no cellular signal, and won't help you if you're using an iPad rather than an iPhone.) In some cases, two-factor authentication uses the service's own app. For example, in the Facebook iOS app, you tap More > Code Generator to see the current code. Similarly, Apple can now use the Find My iPhone app to deliver codes (such as when you're logging in to via a push notification, as an alternative to SMS. And Twitter has a unique approach: you can set it up to use its iOS app for two-factor authentication without requiring a code at all.

But most services use a free, third-party iOS app such as Google Authenticator to generate the codes. You start by logging in to a service's website and finding its two-factor authentication settings page. There you'll typically find either a QR code or an alphanumeric key. Open your authenticator app, add a new account, and either scan the QR code with your camera or type in the key. From then on, the app generates the secondary codes, for each of your accounts, every 30 seconds.

An alternative to Google Authenticator is a free app called Authy. It works with all the same sites as Google Authenticator, but it has a cool extra capability: it can sync accounts across all of your iOS devices automatically, and (with a free companion Mac app, which works on newer Macs with Bluetooth 4.0 support) can even send codes to your Mac and enter them for you automatically--although this doesn't work as often as I'd like.

Use one-time verification codes

When you set up two-factor authentication, there's always the worry that you could lose the iOS device you use for that second factor, thus making it impossible for you to access your own account. So most companies supply you with an extra code of some sort (Apple calls it a recovery key; Dropbox and Twitter refer to it as a backup code) during the setup process. You should either print this out and keep it in a safe place, or put it in a secure digital location (such as your password manager). If you ever need to get into your account without your secondary device, this code can save the day.

But some companies take this concept a step further. Evernote, Facebook, and Google, for example, supply you with a list of codes that you can use whenever you like, in place of SMS or a code from an authenticator app. Each code can be used only once, however; if you run out of codes, you have to go back to the appropriate page in the Settings portion of each site and generate another list. Again, keep this list in a safe place--and take it with you when traveling, just in case.

Join the CSO newsletter!

Error: Please check your email address.

Tags dropboxLastPasspasswordssecurityFacebook

More about AppleDropboxEvernoteFacebookGoogleMacsQR

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joe Kissell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts