Two-factor authentication and account recovery

Last time we talked about strong passwords, but what if there was a better way to secure your account? We look at options for two-factor authentication, including text messages, apps, and security keys. Plus, security news from Apple, one of Liz's accounts got breached, and Geoffrey wants to celebrate a special birthday.

Two-factor authentication and account recovery episode art

Timeline

  • 0:54 - If you can't change your password, try resetting it
  • 1:12 - Security news: Ticketfly breach
  • 1:37 - Security news: EFF's recommendations for turning PGP encryption back on after EFAIL
  • 1:58 - Security news: Intelligent Tracking Prevention 2.0 in Safari
  • 3:43 - Security news: iOS 12's USB Restricted Mode
  • 4:19 - Security news: Safari's password manager now warns about using the same password on multiple sites
  • 4:57 - Introduction to two-factor authentication
  • 7:49 - Types of two-factor authentication methods
  • 18:24 - Backup access when you lose access to two-factor and two-factor recovery codes
  • 25:03 - Account recovery questions

Show notes & further reading

Two-factor support

There are many ways to implement two-factor authentication (2FA). The most popular ones, in loose order of weakest to strongest, are

  1. phone-based methods, either SMS or a call (weakest)
  2. email
  3. an app that does push notifications
  4. an authenticator app that generates codes (usually offline), which is sometimes referred to as a "software token"
  5. U2F/WebAuthn security key, which is sometimes referred to as a "hardware token" (strongest)

Also, many sites will give you a backup code for if you lose your two-factor device, and some may let you disable two-factor authentication by contacting customer service or with an emailed password reset.

It's good to know what all options are available so you can use the strongest ones possible - and also so you can disable the weaker ones, like the phone-based methods or the option to disable customer service. Of course, you need to have your own backup option at that point, so you also need the site to support multiple strong second factors. We discuss several good backup strategies in the episode.

We've included a roundup of how some popular websites / services support two-factor authentication below. A larger, crowdsourced list of which types of two-factor various websites support at twofactorauth.org, although it doesn't go into as much detail as our roundup does for these popular websites.

Amazon supports 2FA via SMS and an authenticator app to generate codes. SMS or a phone call is required to enable 2FA, and even if you use an authenticator app, Amazon will backup to using a phone-based method.

Amazon claims it will require security codes when contacting customer service, but that has not always been our experience, at least when setting up a phone call with support via the website.

Amazon does not provide 2FA backup codes. If you lose access to all of your 2FA methods, you can contact customer service.

One additional neat thing Amazon does is request feedback from you if you turn off all your 2FA methods. We're extremely curious if that dissuades Amazon customers from turning it off.

Apple IDs support both "two-factor authentication" and "two-step verification," which are both very similar - two-step verification is a little older, and they recommend new users use "two-factor authentication". Both mechanisms require using Apple devices as your physical factors, and also require a backup phone number. You can enable two-factor authentication in your iCloud settings in either iOS or macOS. Two-factor authentication does not give you a long-term backup code; you can get a 6-digit code from one of your trusted devices even if it's offline.

Facebook supports two-factor authentication via SMS, authenticator apps to generate codes, and U2F/WebAuthn security keys. If you use SMS-based two-factor authentication, note that you can only have 1 account per phone number. Also, there are reports that Facebook abuses the phone number to send you notifications, so that's yet another reason to avoid SMS-based 2FA.

You have to initially enroll with either SMS or an authenticator app; you can then add additional authenticator apps (using the same secret QR code), SMS if you didn't use it, additional security keys, or recovery codes. By default there are no recovery codes, and generating a new batch of 10 recovery codes invalidates the previous ones.

You also get a notification on other devices like you're already signed in, which you can use if you don't have access to your second factor. There appears to be no way to disable this feature, but because it's only on devices where you're already signed into the account, it doesn't seem like a risk.

If you lose access to all of your two-factor authentication methods, you can send a photo of your government-issued ID or a photo of yourself holding a sign with a hand-written code to customer support.

By default, there's a one-week grace period where 2FA isn't really enforced (you can just choose to disable it at log in), which might be nice for peace of mind if this is your first time using 2FA. You can disable this in settings.

Google accounts (including Gmail and Android) require you to set up 2FA with text messages to a phone number. Once enabled, you can add security keys, an authenticator app, or push notifications via the Google Prompt app on Android or iOS, and then you can disable the phone number method. Backup codes aren't enabled by default; generating new backup codes gives you a set of ten that invalidates all previous backup codes. See Google's page on 2FA for more details.

Tech Solidarity has a step-by-step guide for setting up two-factor authentication with a security key and an authenticator app only, which they recommend to political candidates they work with.

Instagram supports 2FA only via SMS. You can only have 1 account per phone number, and adding 2FA to a second account with the same phone number will automatically turn 2FA off for your first account. Update: As of late 2018, Instagram now supports two-factor authenticator apps. Since Instagram is only fully-featured on your phone or tablet, Instagram will cleverly try to detect and set up an authenticator app on the same device automatically, and if you choose to let it set up your authenticator app for you, it could be hard to set up your backup phone's authenticator app, too. If you want to also set up the authenticator app on your backup phone, you should choose to "set up manually." You'll be given a key to enter into your authenticator apps, and you can enter it into the app on your phone and your backup phone at the same time. Ideally, you don't want to send a plaintext message or email to yourself to get it on your other phone - it's a little more annoying to type in the code manually on your backup phone, but that's the most secure option.

Instagram provides you with 5 backup codes when you set up 2FA, and you can see your existing backup codes or generate new ones that invalidate the old ones in the Two-factor authentication section of settings.

PayPal uses the phrase "security key" to mean "we'll send an SMS to your phone." They do not support actual security keys, nor any other strong two-factor authentication option, and PayPal will also let a phone call to a number on your account substitute for your configured 2FA mechanism. Enabling 2FA automatically disables their One-Touch Pay feature.

Reddit only supports authenticator apps, and gives you ten backup codes. Generating new backup codes invalidates the old ones. You can disable two-factor authentication when logged in without access to the second factor, and you can also ask support to disable it, which "may take us several days and does not guarantee your account can be recovered." Their documentation is pretty clear, and the login page prompts you with "You have two-factor authentication enabled on this account because you're awesome."

Twitter supports 2FA via SMS and an authenticator app to generate codes. Update: A couple weeks after we released this episode, Twitter started supporting U2F/WebAuthn security keys. SMS is only available on select providers, and you must associate your phone number with your account to use SMS-based 2FA. You can use ten accounts per phone number, but only one phone number per account.

Twitter provides you with a single backup code when you enable 2FA. You can see the most recent backup code you generated at any time at Account > Login Verification in settings, and you can also generate new codes on that page. The last five backup codes you generate are all valid even though they are generated one at a time, and when you use a backup code, any code generated before that code is automatically invalidated. We strongly recommend you generate 5 new codes whenever you need to regenerate backup codes to make sure that all past ones are invalidated.

If you lose access to all of your 2FA methods, you are able to contact support.

When evaluating the two-factor authentication methods that are available for other websites and services, make sure to answer the following questions:

  • Which two-factor methods are available? Phone-based? Email-based? Push notifications? Authenticator apps? U2F/WebAuthn security keys?
  • If I have multiple accounts with this website or service, will I be able to use my phone number for all of them?
  • Can I use multiple strong 2FA mechanisms?
  • How do you get backup codes? How do you re-generate backup codes, and invalidate old ones?
  • What if you lose access to your account? Can customer service reset your account? (You might want the answer to be no!)

Authenticator apps

For an authenticator app that scans a QR code and generates a changing 6-digit value ("TOTP", for "time-based one-time password"), we both use Duo Mobile (iOS, Android, Windows Mobile). Both of us originally installed it because we've been at schools and workplaces that use Duo's push-based authentication.

Geoffrey has used Google Authenticator (iOS, Android) in the past. We've also heard recommendations for Authy (iOS, Android, Chromebook) and Authenticator Plus (Android), both of which support encrypted backups. LastPass users may like LastPass Authenticator (iOS, Android, Chromebook), which integrates with the LastPass browser extension to automatically copy two-factor codes into a few popular websites. The current leading open-source options seem to be Red Hat's FreeOTP Authenticator (iOS, Android), whose source code is on GitHub, and Matt Rubin's Authenticator (iOS), also on GitHub.

You can download all these apps from your device's app store. (As always, we can't speak to the ones we haven't used, and we haven't audited their security claims.)

If you have a Yubikey with NFC wireless support, Yubico Authenticator (Android) lets you store the secret information on the Yubikey itself. If you don't have a cell phone, there's also a Yubico Authenticator app for desktop (Windows, Mac, and Linux) which does the same thing. This should be more secure than an app that stores the secret directly on your computer.

Security Keys

A drawing of a YubiKey on a keychain.

The current security key standard is "FIDO U2F" ("FIDO" is the industry group behind the specification, and "U2F" stands for "Universal Second Factor"). The upcoming one is branded as "FIDO2," which includes the W3C Web Authentication API ("WebAuthn") and the Client-to-Authenticator Protocol (CTAP). You will probably see security keys advertised as FIDO U2F, and newer ones as FIDO2 or WebAuthn.

The original and best-known manufacturer of security keys is Yubico, whose current products include the $20 Security Key (USB-A only), the full-featured YubiKey 4 (USB-A or USB-C, including "nano" options designed to stay in your USB port), and the YubiKey NEO (USB-A and NFC wireless). The Security Key model doesn't support additional YubiKey features like storing PGP private keys, which most people are unlikely to use. (Geoffrey bought a YubiKey 4 but only uses the Security Key functionality.)

Google's Advanced Protection guide suggests you get one Yubico Security Key as your backup, and a Feitian MultiPass FIDO Security Key as your primary option. The MultiPass costs $25 and supports both NFC and USB, although it needs a USB cable.

There are a number of other options on Amazon, some as cheap as $10. Search for "U2F" and check the reviews.

Remember that these currently only work in Chrome or recent versions of Firefox, and require either the right type of USB port (or an adapter) or NFC wireless communication. The NFC options currently only work on Android (iOS doesn't have the right software support for apps to use NFC for U2F), so if you use a non-Android mobile device, you almost certainly want one of your second factors to be something other than a security key, such as an authenticator app. For Google accounts only, the Google Smart Lock app works with the Feitian MultiPass over Bluetooth, but this isn't a general U2F mechanism and won't work for other sites.

Account recovery questions

When you sign up for a new online account, often they'll ask you some additional security questions that they might use for account recovery or for additional account security. Since these are usually personal questions and their answers are often easy to find out on social media or limited to a small set of possible responses, it's best to generate something random for them. If you ever need to give them to a customer service agent, you probably want to use a random string of words instead of characters, numbers, and symbols because customer service doesn't always pay too close attention when checking non-human-friendly responses.

Since they're not intended to be a true second factor, it's okay to store your answers in your password manager.

In the news

Apple announced a Intelligent Tracking Prevention 2.0 in WebKit, the open-source project behind Safari. ITP 2.0 prevents you from being tracked by websites that have their code embedded on multiple other websites, including advertisers, media hosts, comment forms, and many other servers that would otherwise be able to form a profile of you across the web. The feature is not yet in Safari but should be in the next version. They also announced are a couple of other privacy features, including resistance to browser fingerprinting and an improved password manager.

The current iOS beta releases include a feature called USB Restricted Mode, which disables the ability to connect to your device over USB after it's been locked for one hour. Elcomsoft, a Russian digital forensics company, wrote an initial analysis of this feature when it appeared in the iOS 11.4 beta and had a one-week timeout. It's now been pushed back to the iOS 12 beta, and Motherboard has a longer discussion about how it could prevent police from breaking into seized iPhones.

The Electronic Frontier Foundation now says that PGP email plugins are safe to use again, "with sufficient precautions," including the "View as Plain Text option." This updates their previous advice to disable PGP email plugins (a position that others, including the ACLU, criticized as a "bad response").

Transcript

Liz Denys (LD): Last time on Loose Leaf Security, we talked about online account passwords. Now that we're all moving towards having unique passwords for every site that we store in some sort of password manager, what else can we do to secure those accounts, Geoffrey?

Geoffrey Thomas (GT): Great question, Liz. We should all be setting up two-factor authentication wherever we can.

LD: We should also make sure that our account recovery information is secure.

Intro music plays.

LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,

GT: and I'm Geoffrey Thomas, and we're your hosts.

LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.

GT: In every episode, we tackle a typical security concern or walk you through a recent incident.

Intro music fades out.

LD: Before we get into the news, I want to clarify something quickly about password management that we didn't mention last episode. Sometimes websites don't give you an explicit option to change your password, but often those same websites will allow you to change your password through a password reset.

GT: Yeah, don't give up on changing your password until you've tried to reset it!

LD: Yeah. Alright, let's talk about recent security news. There's been a lot security news in the last couple weeks. Since our last episode, I actually got an email from haveibeenpwned.com! My personal information was among the 27 million people "pwned" in the Ticketfly breach. As haveibeenpwned.com's email mentioned, this breach contained email addresses, names, phone numbers, and physical addresses, but no passwords, so there's not really much to do. It's good to know, though!

GT: For those of you who do use PGP encryption with your email, the Electronic Frontier Foundation released some guidelines on how to turn that back on as safely as possible after EFAIL. We'll include a link in our show notes. Oh, did you know PGP's 27th anniversary was a week ago?

LD: I didn't, but neat! Maybe before another 27 years pass, we'll get easy to use, reliable secure email!

GT: Maybe. At Apple's Worldwide Developer Conference last Monday, they announced a new feature in Safari they're calling Intelligent Tracking Prevention 2.0. So you know those little Like or Share buttons you see on websites, like at the end of news articles or whatever? It turns out many of them are actually pieces of code that are loaded from whatever social media service that is. So when you just visit the website, every social media service that has one of those buttons already knows that you've been there and what page you're reading, and they can track you and form a profile of what sites you tend to visit.

LD: We've been really careful on our own website not to use any Like buttons or other embedded pieces of code from social media websites. All of our social media icons are just normal links that happen to go to the start a new post or share a new link thing on Twitter or Facebook or whatever, and they don't secretly include any information that you were on our website. And it doesn't do anything if you don't click the link. We value our listeners' privacy a lot!

GT: The new Intelligent Tracking Prevention detects when any website has its code embedded in multiple other websites, and prompts you if it tries to use cookies. Also, if those cookies go unused for a month, they get deleted. So it isn't based on listing out specific social media sites, which is great - it can prevent unwanted tracking from any website, including comment forms or advertisers.

LD: Oh, yeah, sometimes on my iPhone I've seen a popup at the bottom of a website saying I need to click to approve ads, because they use a cookie for tracking.

GT: I hate that so much! It's just a way to get around the old version of their tracking prevention. It's a popup is coming from the ad company's website, and when you click on that popup, it tricks Safari into thinking that you want to interact with the ad company and you want to share cookies with them.

LD: The new tracking prevention is much more aggressive. It's not as complete as a full-on ad blocker, but we're very excited that Apple is doing this for everyone using their browser, and we hope that other browsers will follow their lead!

GT: Apple didn't talk about this at WWDC, but they're introducing a new privacy feature in iOS 12 called USB Restricted Mode. There's been some news recently about devices that can plug into your iPhone and somehow just unlock it - they're usually sold to law enforcement, but who knows who actually has access to them.

LD: Yeah, we don't have all the details on that, but it seems likely they act like a keyboard and try a bunch of different passcodes. The new restricted mode disables USB devices after your device is locked for an hour, which prevents these unlocking gadgets from working at all. So if you don't commonly plug a USB device into your phone while it's locked, you probably want to enable this.

GT: Speaking of things from Apple, one more thing! The password manager in Safari now complains if you use the same password on different sites. If you listened to our last episode, you know why you shouldn't do that, but if you're anything like us you've got tons of old passwords you still need to change.

LD: I actually spent a bunch of time tracking down some really old accounts and changing those passwords last week. How tedious. If we learned anything last episode, it's that passwords are … difficult.

GT: A necessary evil, but surely there's something better than just passwords.

LD: You must be talking about two-factor authentication!

Interlude music plays.

LD: When you use two-factor authentication, instead of just requiring a password to log in, you have to go through some extra layer of security to gain access to your account.

GT: You may actually already be using some form of two-factor authentication. Often your bank or utility bill companies will send a code to your phone you need to enter after you put in your password, and that's a form of two-factor authentication.

LD: Let's break down what we mean by factors. When we talk about "factors", we're talking about ways of demonstrating that you are who you say you are. Having my badge or credit card is one way I could show who I am. The fact that I know a PIN or a password is another.

GT: Those factors aren't perfect, though. Someone can just steal your badge or credit card, or they might guess a PIN or a password.

LD: Or those passwords might get leaked in some breach like we talked about last episode. Having unique, strong passwords only gets you so much security. Very few factors, including passwords, are perfectly safe on their own, and that's why we want to have multiple factors. In high-security environments, they usually require something you have, something you know, and something you are.

GT: Okay, so a badge is something you could have, a password is something you could know, and… what's something you are? I guess just showing up in person?

LD: Yeah, if there's a receptionist or guard who recognizes you, that's something you are, but more commonly, "something you are" refers to a fingerprint, a retina scan, or some other biometric information.

GT: There are tradeoffs in all of these types of factors. Last episode, we were just talking about passwords - something you know - and how they're a pain to remember, and they can get leaked.

LD: And if someone gets a hold of something you know - figures out your password or gets it in a breach - you might not know that they actually figured it out. Something you have can get stolen, but you'll probably notice it's missing, and ideally it's hard to duplicate or guess.

GT: Something you are is usually extremely hard to duplicate, but it gets technically leaked all the time - you leave your fingerprints everywhere, for instance - and it's completely impossible to change, so it's usually a bad choice when you're not next to something in person that you're authenticating to.

LD: So for those of us who aren't crossing international borders or walking into top-secret military bases each morning, we're probably not going to have all three types of these factors, but we can use two-factor authentication: something we know, which is our password, and something we have - usually, our cell phone or a special security key.

GT: Although! If you've got a fingerprint reader on your cell phone, or if you're using Face ID, that's actually authenticating you based on something you are. We'll talk about those in future episodes that focus on securing your physical devices.

LD: Let's start by talking about cell phones, which are convenient as a second factor since most people have a cell phone that they carry with them everywhere. Probably you already keep pretty close track of your cell phone given what else is on there - email, work email, social media, all your photos.

GT: And if you're not keeping really close track of your cell phone already, you probably want to start doing so!

LD: Modern cell phones are pretty good at securing the information they store, which is why, as we discussed last episode, they're great for password managers.

Interlude music plays.

LD: So two-factor is something that the website has to support, and what specific types of second factors are supported depends on the website. You should generally try to use the strongest type of second factor that you can. We'll have a list on our website of exactly what types of two-factor authentication are supported for some popular websites, and guidelines on what to look for in other sites.

GT: If you're doing something that needs very good security and you've got a choice of websites or services, you might want to consider picking the one that supports the strongest type of second factor.

LD: There's also a much larger, crowdsourced list of which types of two-factor various websites support at twofactorauth.org, although it doesn't go into as much detail as our show notes do for those popular websites. We'll link to that site in the show notes, too.

GT: I do appreciate that when a site doesn't support two-factor at all, twofactorauth.org instead has a little link to tweet at the site and say, "Hey, can you add two-factor? It's important to me."

LD: Yeah, we should all be pushing for better security options! So there are a couple different ways you can use your cell phone as a second factor. The easiest and most common one is that the website texts you or calls you. This is super popular with banks, because they generally already have your phone number. Usually they'll send you a six-digit code, and you'll type it in on the website. That way, if someone else is trying to log in as you, they won't get the code.

GT: My bank used to text me a code, and then ask me to text that code right back, which is pretty insecure. It doesn't guarantee that the person who got the text message and the person who's logging in are the same person at all. So if someone's trying to break in, and I'm not paying attention and I see this text and I just reply to it, I'll accidentally let them in.

LD: There's also a couple of scams where someone tries to get that code from you. In one of them, someone texts you and says, "Hey, I used to have this phone number, I need to get into this old account, can you send me the two-factor code?" In another one, they'll call and say they're from your bank's fraud department, and they'll need you to read them a verification code.

GT: Usually the text messages don't have any context, they're just "Your verification code is 456789" - which is normally great for security, but it opens up the risk of these types of scams. Bottom line: you should recognize what these texts look like, and the only time you should ever use the six-digit code is when you're actually trying to log in. Otherwise, just ignore the text.

LD: And if you're repeatedly been getting texts from a certain website, it might mean that your password's been breached. Still, you should ignore those unrequested two-factor code texts, but consider updating your password.

GT: Another two-factor method is that you get a push notification from some app you have installed. Google does this on Android and Apple does this on iOS, if someone logs into your Google or Apple account from a new place. It also seems to be popular with two-factor logins for companies. If your workplace or your school is using two-factor for accounts, or if it's as an option, they probably have an app you can download to do this.

LD: It's super easy to use: your phone buzzes, and you get this little notification that you can either approve or deny.

GT: Usually it'll say where the login is coming from, like what city and IP address, so it's a little more secure than just replying to a text. But still, you need to be careful not to hit approve if you weren't in the middle of trying to log in.

LD: The last phone-based method involves getting an authenticator app that will generate these 6-digit codes on its own. To set this up, the website gives you a QR code with some secret value. You scan the QR code in the app, and then it will use that secret value and the current time to generate a 6-digit code.

GT: There's a bunch of these types of apps - there's Duo and Google Authenticator which are two popular ones. There's some open source ones. There's some that are built into password managers. Some let you do encrypted backups of all of those secret values, which is super convenient if you need to switch phones, but a little bit less secure. We'll have some links on our website.

LD: Those codes change every 30 seconds and they expire quickly, so they're much more secure than the SMS code, which is often valid for a few minutes. Also, another great thing is that they work entirely offline. They just need the secret value, which is stored in the app, and the current time. So if you're traveling a lot, or you work somewhere with bad cell reception, it's a great option.

GT: Also, it turns out to be way easier than you'd expect to take over someone's cell phone number. There's plenty of stories of hackers just walking into a cell phone store and saying, "My name is so-and-so and I lost my SIM card, can you help me?" and they'll just give you a new SIM card for that phone number. So if you think someone might try to target you specifically, you should definitely avoid SMS and use the authenticator apps when possible.

LD: Yikes. We should definitely talk about that in a future episode.

GT: Yeah, there are a bunch of services that'll default to using SMS to setup two-factor, but let you switch to something stronger once you've done that. If they require SMS for the initial two-factor setup and you then set up an authenticator app, make sure you've also switched SMS off or otherwise you're just leaving this weaker way enabled for no reason.

LD: Also, sometimes, a service won't let you use the same phone number for multiple accounts. We actually learned this the hard way when I enabled two-factor for this podcast's Instagram account, and found out that my personal Instagram immediately got two-factor disabled. In fact, Instagram took my phone number off my personal account entirely!

GT: Oh that sounds like an unpleasant surprise. So, those are the cell-phone based options, but not everyone wants to use their cell phone. Maybe they don't have one, or you're sharing a cell phone with someone. Or maybe you just can't keep it charged.

LD: You can get a "security key" instead, a device that's a little smaller than a thumb drive, and it plugs in over USB. After you enter your password, a website will tell you to plug in your security key and tap a button on it. It will do some cryptography on the device itself, entirely outside of your computer, and provide a proof that it's "something you have". Because the cryptography happens on the key, even if there's malware on your computer, it can't permanently get access.

GT: Remember that this security key is one of those "something you have" factors, so you need to make sure you keep it secure, which probably means to keep it with you. Lots of people keep them with their house keys or in a different part of their bag than their phone.

LD: Some of the security key models are designed to just stay plugged into your computer all the time. They use up one USB port and they barely stick out past that port, so you can put your laptop in your bag and the token won't get in the way. Which basically means that the entire computer that "something you have." Again, for most people, that's fine; you don't tend to let your computer be accessed by random people. If you're regularly leaving your laptop in hotel rooms, or you don't trust your housemates or something, make sure you take that security key device with you when you leave your laptop out or consider getting something that encourages you to remove it every time - they do make ones that aren't as close to the laptop profile. Note that sharing a laptop or leaving a laptop in a place where people can access it is generally very risky, but sometimes, it's unavoidable and there are ways to mitigate that risk. We'll talk about physical device security in more depth in a later episode.

GT: So the oldest security key product is called the Yubikey, short for "Your Ubiquitous Key". The company behind Yubikey built a device that would do a few different things, one of them was just storing a long password on the Yubikey, and then they worked with Google Chrome to build the security key standard. And now there's a bunch of other people making security keys, some for very cheap. You can get a good one for less than twenty bucks.

LD: You should make sure your setup supports using a security key. Browser support for these types of devices used to be pretty bad. The original standard behind Yubikey was called U2F, for "Universal Second Factor." For a long time, despite the name "universal," Chrome was the only browser that worked with this U2F standard.

GT: About two months ago, though, the World Wide Web consortium announced a newer version of the standard called Web Authentication, or WebAuthn for short. It has a lot of support from other browsers, too. Currently, Chrome and Firefox both support it, and Microsoft Edge and Apple Safari are actively working on adding support.

LD: The coolest thing about U2F and WebAuthn is that, because the web browser is involved, it can tell the name of the website to the security key as part of the cryptography. So, if you're on some phishing website - that is a website that's pretending to be the website you want, but isn't - your security key literally won't be able to compute the right answer because that website doesn't match. So even if you end up giving your password to the phishing site, it's impossible to do the two-factor login with a security key. That's not true of those six-digit codes with your cell phone: it's up to you to not enter the code on the wrong site.

GT: Let's be clear: this doesn't make attacks completely impossible. If there's malware on your computer itself, it can still see what you're doing and it can try to change what you're doing and send the wrong information to the security key. And giving up even just your password to a phishing site is still pretty bad. But, these security keys are a super strong extra layer of security.

LD: Also, because both the website and the browser are involved, that website has to specifically support security keys. This method is gaining popularity, but it's still far from being offered on every single website. But if your email provider supports it or some other website that's really important to you, like a bank or social media that you rely on, we definitely think you should spend the twenty bucks if you can afford it and get that security key. It's extremely secure and much easier than remembering passwords.

GT: We're also very excited about WebAuthn because there's a lot of interest in using it to replace passwords. So instead of having the security key as a second factor, it might someday be your only factor. For things that aren't your bank or your email, if you're only going to have one factor, a security key is so much better than a password.

LD: So this next thing won't apply to most of our listeners, but we think everyone should at least know about it: Google has a thing they call "Advanced Protection," where you have to use a security key to sign into your account. There's no way to disable it. You can't do a password reset. You can't call customer service and gain access to your account again. There's just no other way to do it. In fact, they require that you get two security keys and tell you to carry only one of them on your keychain, and you should put your other one somewhere safe as a backup. If you're using Gmail or Google Drive or anything other Google product really, and you're a journalist, activist, politician, company executive, anyone at an unusual risk, you should definitely take a closer look at Advanced Protection. If you're using non-Google services, see if there's a way to get an equivalent level of protection.

GT: Right. For instance, my personal email is not with Gmail, it's with a smaller company, but their policy for everyone is if you have two-factor enabled, customer support will not let you turn that off, we hope you have a backup and we hope you know what you're doing, because when you enable two-factor, you're telling us that you want higher security.

LD: Whenever you enable two-factor authentication, you need to consider what happens if you lose access to it. If you previously planned to regain access by email or by contacting customer support, that might not be an option anymore. Many websites will treat your account more securely when you have two-factor enabled. They might not let you reset the password by email, which is often the weakest link, unless you have the second factor, too. A few of them won't even let customer support reset your password if your two-factor is enabled. We'll talk about backing up access to two-factor methods after a quick break.

Interlude music plays.

LD: So what happens if you don't have access to your phone or security key? What if you lose your phone or security key? It's not as simple as when you have a password and just need to do to an email reset of that password.

GT: The best answer is to have multiple second factors available to you. For most people, having both an authenticator app on your phone and a security key is a pretty good combo. The security key doesn't have a battery and is pretty sturdy, so it doesn't need to be charged like your phone, and it'll hold up much better than your phone will. In turn, your phone is probably a part of your everyday life, so you should have easy access to it if you lose your security key or you manage to break the security key somehow.

LD: Also, most sites that support two-factor will give you a set of backup codes when you enable it. These are kind of like the six-digit codes, but they never expire. You can print them out and keep them safe, but I honestly find them kind of scary because they don't expire and their purpose is to completely bypass two-factor. We'll talk more about what to do with these in a bit.

GT: For your lower-security accounts, using an authenticator app and SMS is a fine combo. The authenticator app keeps working if you're out of cell coverage or your cell phone plan stops working. And if you lose your phone, you can get a new one with the old number and get your codes texted to you. For very high security, do what Google recommends and get two security keys. They could literally be the same model: just set them both up, and leave one securely with your valuables.

LD: One trouble is sites that don't support multiple second factors. Usually sites that support security keys let you have more than one, but sites that do the QR code thing often only let you enable it once. If you try again, it will invalidate the old code. But there's a trick to it of course: you can scan the code with multiple cell phones, and they'll generate the same values. You should check that when it for a value to verify. This is also great for sharing an account with someone else, like we do for this podcast. Just be careful how you share that QR code - ideally you're going to set that up in person, together.

GT: So, honestly, I think one of the better backup ideas is an old cell phone you're no longer using. I have one that I got about three years ago that has a slightly cracked screen and doesn't run the latest software anymore, but I can still install an authenticator app on there. So all my important accounts, like my email, also have that phone set up as a second factor. Usually that phone sits in a box on a shelf, completely out of battery, but it's there if I need it and something happens to my regular phone.

LD: Yeah, I do this, too, and it gives me some peace of mind. If you have an old smartphone, you can also install your password manager on it and make sure it has a copy of your passwords - which is a little safer than writing them all down with your important passwords or writing down your master password.

GT: My old phone doesn't get security updates anymore, but that's more or less okay. I'm not using it regularly, and when I do, I'm not browsing the web or installing weird new apps, I'm just using the two-factor app I've already installed. In fact, I don't even need it to connect it to the internet at all to get those two-factor codes.

LD: So, Geoffrey, what if I'm using a password manager app on my phone, and I'm using a two-factor app on that same phone? Is that really still two factors? My password isn't really something I know anymore - I don't know the password, I let my password manager know it, and my password manager is just something I have. And my second factor is also the same thing I have.

GT: Yeah, it isn't technically, but most of the time you can make it so that your phone is more secure than your computer - you keep it with you, you don't let other people use it, especially without monitoring them. But for your most secure accounts, yeah, maybe you don't want both factors on the same device.

LD: Yeah, I've got my email password memorized instead of in my password manager like we were talking about last episode, so a second factor on my phone is a true, separate second factor for that account, which, you know, I care about a lot.

GT: A couple of people make a distinction between two-factor authentication and what they call "two step verification". It's pretty pedantic. It's saying that, well, if it's two things you have and not one thing you have and one thing you know, technically, it's not two different factors. But two step verification is still an improvement over regular passwords, which are just one step verification.

LD: Also, you're more protected from password breaches, and there's a little more difficulty getting into your account.

GT: It's like locking up your bicycle in New York - your lock doesn't have to be completely unbreakable, it just needs to look stronger than the lock on the next bike.

LD: So what should we do with those two-factor backup codes? As a refresher, you're usually given these when you set up two-factor in case you lose your second factor. Since they override the need for your second factor on your account, you want to make sure you're keeping them somewhere safe.

GT: I've heard a couple people recommend just putting them in your password manager.

LD: Doesn't that sort of defeat two-factor authentication methods becoming a true second factor?

GT: Yeah, a little, you're storing it in the same place like we were just talking about, so if there's malware on whatever device you're using or your password manager screws up encryption and your passwords leak, your two-factor backup codes would be right there with them, and that would make your two-factor auth useless. I guess you could instead put your two-factor recovery codes in whatever safe place you keep you birth certificate. You probably don't need to use them that much, so if it's slow and annoying to get to them, that's probably okay.

LD: You can also carry them in your wallet. I actually think this is a lot less bad than carrying your passwords in your wallet because now you're using two factors instead of just one, and you're not going to keep both in your wallet. If you're keeping any passwords your wallet, you definitely can't keep the two-factor recovery codes for the same accounts in your wallet because someone who gets that wallet is going to have both factors they need to gain access to your accounts. You'd want to quickly request new two-factor recovery codes if your wallet gets stolen so that you invalidate the old ones in your wallet. And that's not always super straightforward to do.

GT: Yeah, I was trying to do this with Twitter the other day - how do you do it? They don't have a clear button that says make the old backup code go away.

LD: There's actually a button on the Login verification page, but it's not really clear from the text on that page what's going to happen with the old code. I searched their help pages to find more information on this and actually got a pretty unsettling answer. Quote "You can generate up to five active backup codes at any given time. Be sure to use the codes in the order in which you generated them; using a code out of order will invalidate all previously generated codes." This is a pretty bad design because it's not at all clear from the, you know, Login verification page that you're generating these codes from as to what is actually happening. And until I read that help page, I assumed there was actually only one two-factor backup code per Twitter account. It would probably be a lot clearer if they just generated five new codes, all at once, every time you clicked that button. Anyway, if you lose a backup code on Twitter, you need to click that button at least five more times to get rid of all of your old backup codes and generate five ones.

GT: Oh wow, that's pretty confusing. Most sites I see will just give you a batch of ten and say, "Here are your ten current valid backup codes." As we were saying earlier, we're going to put up a roundup of how two-factor works on various popular sites, including Twitter, and we're going to note how two-factor backup codes work for these sites.

Interlude music plays.

LD: So the last topic for this episode isn't specifically related to two-factor authentication, but it is another thing to carefully consider beyond just your password: how to secure your accounts' recovery information or additional security questions that you're asked. When you sign up for a new online account, often they'll ask you some additional security questions that they might use for account recovery - like in case you ever lose your password and need to reset it - or for additional account security - like if you're signing onto something for the first time on a new device or if you're calling about your account.

GT: So these are questions like "What is your mother's maiden name?" or "What was the name of your first pet?" or "What was your high school's sports team's mascot?"

LD: Some of these are things that you can easily look up now, especially in the age of social media, like the ones Geoffrey just mentioned. Some of these are maybe less obvious to find online like "What's your least favorite vegetable?"

GT: Your what?

LD: Yeah, but even questions like that have a finite set of answers. Because of that, we'd recommend using something more random, just like with passwords.

GT: Unlike with passwords in general, where you probably want random strings of characters, numbers, and symbols, you might need this to be more human-friendly, especially if you're going to have to give it to customer service over the phone. Most of my security questions are randomly generated from a password generator. And I've definitely called up customer support, and they've been like "what street did you grow up?" And I've been like "v" "percent" "lowercase l" "capital". And they were just like "yeah, yeah, yeah, okay that's fine", and so they clearly didn't check the whole thing.

LD: Yeah, if you ever think you're going to have to give this to a customer service agent, you're better off creating answers that are based on random combinations of actual words - your password manager probably has a setting for generating this or you can use that dice rolling method we mentioned last episode. We'll link it again in this episode's show notes.

GT: So, where should you store your answers to these questions, now that they aren't going to be your personal response to a question about you, Liz?

LD: Great question, Geoffrey. I'd say you're safe to store these in your password manager, because they're only going to be accessible from that notebook you keep somewhere safe or devices you trust and behind your master password. If you do store them in a digital password manager, depending on how important the account is to you, you may want to print them out and put them somewhere physically safe, too, like wherever you store your birth certificate or social security card, just in case you lose access to your password manager.

GT: Yeah, I also think your password manager is fine. This is an alternative to your password: it's not a second factor, so it's nowhere as complex as thinking about separating it like your two-factor backup code.

LD: Well, that about wraps it up for securing your online accounts with two-factor authentication and how to handle those account recovery questions. Catch you in two weeks, and in the meantime, we've got some accounts to secure!

Outro music plays.

LD: Loose Leaf Security is produced by me, Liz Denys.

GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.

LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.

GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.

Outro music fades out.