Multi-factor Authentication | Setup 2-Factor Authentication
In the previous story we discovered Passwords alone were not “Strong” enough.
We then explored the different Factors (Types) of Authentication that could help reinforce security.
Today, we learn how to use Two Factor Authentication, if available on apps/websites.
Introduction
The term “Two Factor Authentication” refers to Type 1 and Type 2 of Authentication Factors, we learnt earlier.
While Type 1 would still be your Password, the Type 2 refers to a Time-based Token that refreshes per minute.
Industrial standards generally require a Hardware based E-Token device that is provided to their personnel.
There are also Software based tokens that can be installed on your smartphone that enable you to use the exact same level of security on social media and other websites.
Software-based E-Token Services:
Some such software are Google Authenticator, Microsoft Authenticator.
The first condition that needs to be fulfilled is, the website you are on has enabled Two-Factor Authentication.
The next step would be for us to enable 2FA on our account and connect our Authenticator Service to the account.
Then whenever we login, we would be asked both our Password and Token one after the other.
Setup 2FA on Account:
We are going to consider the example of Instagram for this demonstration, our Authenticator service is Google Authenticator.
You can use any service for any website. The steps are fairly simple and same everywhere.
Step 1: On Instagram. Go to your Account, Open the Menu bar. Tap on Settings.
Step 2: Tap on Security.
Step 3: Tap on Two-Factor authentication.
Step 4: Tap on Authentication App (Recommended) and toggle the Slider to ON (To the Right).
Step 5: A window with a long Secret Key will appear. Copy this key. This will be inserted in the Authenticator App to connect it to our Account.
Step 6: Now would be a good time to Install your “Authentication app” if you haven’t yet.
Tap on Set up Manually to learn the process.
Step 7: Tap on Enter a Setup Key.
Step 8: Enter the key we copied in Step 5 here. An 8-digit PIN will appear.
This very PIN is the Token we are looking for. This Token expires in 1 minute and a new token is generated. No Token will be repeated. Copy this PIN or memorize it.
Step 9: Back to the Instagram app. Enter the Token digits in the space provided.
When this step is completed, the 2 Factor Authentication is enabled for your account.
Step 10: The next window will give you some recovery codes.
It is very important that you note them down, or preferably screenshot them, print them and then delete them from your phone.
These codes will be used if your ever happen to lose then phone that has the authenticator app.
Step 11: Log out of Instagram and try to login again.
Did the app ask you for your authenticator PIN? It is possible that it did Not.
Why? Because your Phone is considered as a Trusted Device by Instagram and thus it will never ask you for 2FA.
Remember, Type 2 authentication is Something you Have.
In this case, the authenticator PIN was to prove that you are in possession of the device with the Authenticator App.
On the other hand, logging in to Instagram via a Trusted Device has already proven that you have, or are in possession of a device that Instagram trusts for your Account.
The Trusted Device mechanism is an in-built Type 2 authentication mechanism by Instagram. This always ensured that users are passed through a 2-Factor Authentication by default.
Then why do we need another Type 2 Authenticator?
Because the Trusted Device Mechanism is easily overridden. This override allows users to connect from different devices.
In other words, the Trusted Device Mechanism would allow you to easily login to your account from a Trusted device but won’t pose that much off a deterrent to another device.
That much needed deterrent is provided by Authenticator App based authentication.
To test 2FA on your account, you can try to login to Instagram from another Device, like a second mobile or a laptop.
Then you would be asked for a PIN after you enter the Password correctly.
Go to the Authenticator App and copy the PIN to login.
Now that the 2FA is in place, you might ask, what benefit has it brought us?
The Authenticator App is generating what we call a Time-based One Time Password (TOTP). This token expires in 1 minute (some cases, 30 seconds).
When we login, it is important that our password is accompanied by this TOTP.
Now any hacker who has cracked our password by any means is now faced by a second challenge,
that is to guess the new TOTP, and this must be done in the time-frame of 1 minute, which becomes extremely difficult.
Though this may not look as a complete solution, this goes a long way in hardening our security posture, while being extremely easy to setup.
