The 12 Days of 2FA: How to Enable Two-Factor Authentication For Your Online Accounts

The 12 Days of 2FA: How to Enable Two-Factor Authentication For Your Online Accounts

-- Tom

 

How To Enable Two-Factor Authentication on Gmail and Google

-- Tom

 

How To Enable Two-Factor Authentication on Yahoo Mail

-- Tom

 

How To Enable Two-Factor Authentication on Outlook.com and Microsoft

-- Tom

 

How to Enable Two-Factor Authentication on Facebook

-- Tom

 

How to Enable Two-Factor Authentication on Twitter

-- Tom

 

How to Enable Two-Factor Authentication on Dropbox

-- Tom

 

How to Enable Two-Factor Authentication on Amazon

-- Tom

 

How to Enable Two-Factor Authentication on Bank of America

-- Tom

 

How to Enable Two-Factor Authentication on LinkedIn

-- Tom

 

How to Enable Two-Factor Authentication on Slack

-- Tom

 

How to Enable Two-Factor Authentication on PayPal

-- Tom

 

It's really disappointing that PayPal are still with VIP or smartphone 2FA, since they were one of the members of the U2F (but were sadly going down the biometric route). I really don't get the argument that you can't support a $10 small passive device that has a smaller attack surface vs a $$$$$ smartphone with high level of attack surface and poor battery.

Of course, it's really because they want you by the smartphone and mobile number.

 

I am considering using one of my Bitcoin Trezor's for this purpose. Its fully U2F but I have been procrastinating because few of my accounts support it yet. It would also be a great smokescreen for why I am carrying a Trezor anyway. I use my smartphone for several real name places where a simple "text" is my whopping 2FA. Better than nothing. LOL!

For those living in the USA I would say don't get your short term hopes up. Hell, we haven't even activated full credit card chip technology yet and its deadline was a longggggggg time ago. Maybe 20% of merchants offer chip protection for their customers where I live. That being the case, why would I expect U2F to be any different?

 

I'm thinking about activating 2FA on all of my accounts, but what if you don't have access to your smartphone? I would also love to have a hardware authenticator, that could be used for most important sites, like banking, email and social media.

https://www.vasco.com/products/two-factor-authenticators/index.html

 

If you lose your smartphone, you can use backup codes to login into your account (it depends, not all are providing backup codes)
For example In the case of Protonmail, after enabling Two-factor authentication the user can see a list of backup codes which the user should keep in a safe place:

 

Yeah, I am disappointed with the use of (or lack of) U2F. Years ago I thought this would be a standard for many sites but not much has happened since then.
Well, I don't mind anymore what PayPal uses. I closed my account a while ago - this time for good. In the past they declined several perfectly legitimate transactions for no good reason. I canceled my credit card as well. I don't mind my credit score, haha.

I also don't like linking my mobile number to accounts. I do 2FA in an isolated Qubes VM and it works like it should. (https://www.qubes-os.org/doc/multifactor-authentication/) I don't use smartphones for excessive surfing or shopping so it is a nice alternative.

@Palancar
Thanks for your report on Trezor. I read your experiences and I am interested in buying one. I just did a little research and it looks like a very good solution. Would you recommend it compared to other devices? It's a little expensive but it would be usable for a long time, I suppose.

 

Balthazar,

The TREZOR was a no brainer for me. I am a crypto trader and a hardware wallet is virtually a must if you want any level of convenience without sacrificing security. With coins, one private key leak means they are gone. As soon as the new TREZOR2 gets released the original Trezors will sell for cheap, cheap. Beta and code for the next generation Trezor is proceeding, but still no official release date yet. You might score an original Trezor on the cheap if the timing goes right for you. The U2F is solid on the original trezor. I don't use that feature yet as posted earlier in this thread, but that is due to not many establishments accommodating the features it offers. I do have all the firmware updated and the device is ready but I don't have anywhere to use it (maybe one or two sites but I need about a dozen).

 

@Palancar
Thanks for the reply. I will wait and see when the Trezor2 gets released. If it's not taking too long I will then decide which to buy. I bought a few "gadgets" in the past and most of them are put to good use. I still use my old Yubikeys for static passwords.

 

OK, I see. BTW, I was wondering if it's possible to develop a hardware authenticator (like from Vasco) that works for all major sites. I'm not sure if it's technically possible.

 

https://www.forbes.com/sites/kalevl...-the-government-backed-attackers-come-for-you

 

Nice read. I prefer a special usb key to the other approaches. Even SMS is a major step in the right direction, but its not U2F.

 

How to Secure Your Accounts With Better Two-Factor Authentication
July 22, 2018
https://www.wired.com/story/two-factor-authentication-apps-authy-google-authenticator/

 

I prefer my Yubi's in actual U2F mode over all other modes they offer. By the way if the site you are using only supports TOTP and not U2F, try and set it up so the code is displayed on a separate device from the one you are logging in with. e.g. Logging in on my laptop but viewing the TOTP on my cellphone screen to acquire the needed 6-8 digit code. It is far safer to keep the authenticator AWAY/OFF the same device being logged in. Lastly to save you from disaster make sure to save the base 32 code or the QR code so you can re-install if the authenticator device gets damaged, lost, etc.....

 

Good Primer on Two-Factor Authentication Security
August 22, 2018
https://www.schneier.com/blog/archives/2018/08/good_primer_on_.html