Activating strong authentication can quickly become a nightmare, due to the multiple second factors that must be managed. Here are some tips to avoid getting lost in this cryptographic maquis.
As we know, the password alone is no longer sufficient to protect an online account. Faced with the inventiveness and professionalism of hackers, it is highly recommended to use a second authentication factor, especially for the most important accounts such as messaging, social networks or cloud services.
The problem is that the management of these second factors is not so obvious. There are several varieties of second factors, and not all online services offer the same ones. In addition, we must not forget to have a second “backup” factor for each service where strong authentication is activated, so as not to end up in trouble the day one of the factors is not not available. In short, it is very easy to drown in all these procedures. This is why we must move forward methodically.
Choose your second factor
There are several types of second factors. The best possible choice is the security key. It has the advantage of being independent of your terminals and it is very difficult to hack. It’s the perfect choice for people at risk — journalists, activists, politicians, senior executives, and more. — and paranoia. But it’s not given and it’s an additional object to manage.
A good alternative is to have a one-time code generator (TOTP, Time based one time password) on the smartphone or computer. For example Google Authenticator, Microsoft Authenticator or Authy. There are many others. The principle is always the same: all you have to do is scan a QR code (or manually enter a sequence of characters) and the app will generate a different secret code every 30 seconds that you will have to give to connect.
Also see video:
Some services also offer homemade second factors. This is the case of the Yahoo mobile app to connect to the eponymous messaging service, but also of most banking apps. At Google, each smartphone on which an app from the publisher is installed and connected can also serve as a second factor.
Finally, let’s not forget e-mail and SMS. These are now considered obsolete and disreputable, due to phone line spoofing (“SIM swaps”). But they are still widely used.
Create backup
The problem with the second factor, as you will have understood, is its loss or unavailability. If you lose your smartphone, you also lose the one-time code generator or the homemade app. This is why it is advisable to create, if possible, another second factor that can be used if the first one no longer works. And the good news is that many services allow you to activate several second factors. Google, from this point of view, is very open. It allows you to add several security keys, several smartphones, as well as a single-use code generator.
Unfortunately, not all services offer such a choice. Some do not support security keys, or even code generators. We will have to make do with what we have. The main condition to be respected is that the backup be accessible from a different physical medium than the second usual factor. Otherwise, it is of no interest.
It may be wise, for example, to install a TOTP generator on the smartphone and another on the laptop for the same service. This is entirely possible, as one can use the same QR code to activate both. You can also save or print this QR code and store it in a secure place. The day your generator is no longer available, it will allow you to restore the lost second factor.
Finally, some services also offer backup codes. They can play the role of backup provided they are properly stored in a secure and accessible place.
Check the relevance of your backups
At the end of the tenth second factor activated, you will drown and you will no longer know what type of strong authentication you have for which service. That is why it is recommended to write it down somewhere, for example in the form of a table, which for each online service will indicate the second factors activated. This method not only makes it possible to detect inconsistencies (two second factors on the same physical support), but also to avoid holes in the racket.
Then, for each service, imagine that you lose one or more of your computer devices, and ask yourself if you would still be able to connect. If necessary, it may be necessary to… create another second factor.