With a wide variety of possible two-factor authentication methods, it's difficult to keep track of which ones you're using - and which ones you could be using. Liz and Geoffrey talk about their personal strategies and how to handle difficult cases like custom authenticator apps. In recent news, there's improvements to using security keys with Google accounts and some surprises with automatic updates.
Timeline
- 1:23 - Security news: Android now works as a FIDO device now for Google accounts
- 3:43 - Security news: Firefox now supports U2F security keys for Google accounts
- 5:24 - Security news: Firefox extensions and add-ons stopped working because of a certificate expiration
- 7:03 - Security news: ASUS unintentionally distributed malware to computers they sold via a signed software update
- 9:33 - How to find out where you could enable two-factor authentication
- 10:47 - 1Password's Inactive 2FA in Watchtower
- 12:17 - Do I really need to enable two-factor for everything that lets you?
- 15:23 - Using tags to help keep track of where you've set up two-factors for your various accounts.
- 17:22 - Should you really use SMS-based two-factor methods?
- 20:23 - Migrating 2FA when you get a new phone
- 23:33 - Issues with apps that offer to automatically configure two-factor for you
- 25:30 - Site-specific second factor apps, e.g. Steam, and protecting against accidentally deleting your two-factor code generator apps
Show notes & further reading
This episode is a follow-up to our episode about two-factor authentication last year, "Two-factor authentication and account recovery." If you're not already using two-factor authentication, check out that episode for an overview of what it is how to get started, including some important tips like which methods to use and how to handle backup codes or losing access to your second factor devices. See also our two-factor authentication reference page for a quick refresher. Once you're set up, give your friends our two-factor authentication zine, which covers the various two-factor methods and why you should use them.
Where can you enable two-factor authentication
TwoFactorAuth.org is a catalog of websites that support two-factor authentication, including what methods they support and what their setup documentation is. It's crowdsourced via GitHub (if data about your favorite website isn't accurate, you can open a GitHub pull request to their repository), so it tends to be up-to-date but you might want to double-check against a website's own help pages if it says something's not supported.
1Password's Watchtower feature relies on this source: they'll show you a warning saying "This website supports 2FA (according to twofactorauth.org), but you haven't enabled it." However, as we mention, this warning only tracks two-factor auth that you've enabled inside 1Password, which we don't recommend. Furthermore, it only tracks sites that support code-generator apps: for sites that only support other methods (most commonly, sites that only support SMS), the warning won't show up.
Risks of SMS-based two-factor authentication
In the news notes from our episode "Comparing Android and iOS security," we covered some of the social-engineering attacks that could be used to take over your cell phone account. This is a targeted attack that requires individual effort per person, but if you think someone might want to attack you specifically, it's worth finding a second factor that isn't your phone account. (An authenticator app on your smartphone is significantly safer: someone who can get another phone associated with your phone number won't be able to get to date physically stored on your real phone.)
In the news
Google announced that phones running Android 7 or newer can be used as FIDO security keys, as long as you're using Chrome, logging into Google, and able to pair your phone to your computer with Bluetooth. Google ensures that your two devices are physically nearby by using a scheme they call "cloud-assisted Bluetooth Low Energy," or "caBLE". WIRED has an in-depth look at the FIDO Alliance (of which Google is a founding member) and their plan to "kill passwords". If you want to try it out, take a look at Google's setup instructions. We're still keeping our physical security keys with us for use with other websites, but since it's a good idea to have two different security keys as a backup, an Android phone seems like a great option for your Google account.
Mozilla announced that the upcoming version of Firefox will support registering security keys for use with Google accounts. As described in a post to their development mailing list, Google doesn't want to enable registration using the current, standardized FIDO2 WebAuthn mechanism for fear of making security keys unusable with older Android devices (this is in reference to connecting a standalone security key over NFC or USB to an Android browser, not the new functionality of using an Android phone as a security key for a desktop browser), so Firefox has permitted google.com to use the older mechanism.
Firefox users recently found that all add-ons were disabled due to a certificate expiration. Eric Rescorla, CTO of the Firefox team (and coauthor of the recent TLS standards), wrote a detailed technical blogpost both about what went wrong and how they fixed it. They used a mechanism for pushing studies and experiments to existing Firefox versions, because it was the fastest way to get the change out and had sufficient technical access; they also released an update to the browser so even if you had these studies disabled for privacy reasons, you should have the fix by now.
Russian computer security firm Kaspersky Lab recently reported that computer manufacturer ASUS was unintentionally distributing malware as signed software updates. They estimate that half a million computers received the malware, although only about 600 computers were targeted. Matt Blaze, a computer science and law professor at Georgetown University, argues in a New York Times opinion article that you should still install software updates despite the risk of attacks like this. We agree with this recommendation: even regular software upgrades include security fixes, so you should make sure you're applying updates. For instance, Apple does not make security fixes available separately from iOS upgrades, so if you're running an older version of iOS, your device generally has unfixed security issues.
Transcript
Geoffrey Thomas (GT): Liz, did you hear about the Kentucky Derby?
Liz Denys (LD): The Kentucky Derby? Geoffrey, Loose Leaf Security is a security podcast - what does horse racing have to do with anything?
GT: The fastest horse was named Maximum Security! I feel like it's a sign. Good security is important.
LD: Hmm... I'm reading here that Maximum Security got disqualified for interference.
GT: Interference?
LD: Apparently it bumped into another horse, so the rules say that it counts as ranking behind that horse.
GT: Well, that's not cool. I was a fan of Maximum Security, but not if it's running into other horses.
LD: Luckily for you, today's episode is about how to have maximum security without interference.
GT: Oh, that's right! We're talking about strategies to make two-factor authentication work well for you in practice.
LD: Stay tuned to hear some of the techniques we've found for staying on top of the wide variety of two-factor authentication methods and other tips for keeping all your two-factors well-organized.
Intro music plays.
LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,
GT: and I'm Geoffrey Thomas, and we're your hosts.
LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.
GT: In every episode, we tackle a typical security concern or walk you through a recent incident.
Intro music fades out.
LD: Before our main segment, we've got some security news for you! There's been a few cool developments recently in the world of FIDO-based two-factor authentication.
GT: If you've forgotten what FIDO is, it's the name for the specification for security keys, which we've long recommended as the most secure form of two-factor authentication available.
LD: That's for two reasons. First, a security key is its own hardware device that's used for nothing else: it's much harder to break into a security key than anything else you have. It's not directly connected to the internet: it just talks to your computer. But probably more importantly, the FIDO protocol lets your security key verify that you're on the right website. If you've been tricked into visiting a phishing page, you might type a two-factor code from a text message or a generator app into it, but your security key will see that this isn't the same website you wanted and won't send a response.
GT: Google announced recently that recent Android devices can now work as a FIDO-compatible device for logging in on your desktop. So if you already carry your Android phone everywhere, you can use that as your second factor, you don't have to get a separate security key. This functionality comes as a software update to Google Play Services, so existing devices running Android 7 and up should work with it.
LD: It's a little complicated, and it only works if you're running Chrome and trying to log into Google, at least for now. The interesting part is it uses Bluetooth to make sure that your device is physically near your computer, so you have to have Bluetooth on both on your computer and your phone.
GT: Oh, that makes sense - with security keys, you have to plug it in, so an attacker trying to log in from somewhere else can't use your security key. So an Android FIDO device should also check that it's near the computer that's logging in. FIDO is not only more secure than a push notification or a text message because of the phishing protection, it's also more secure because you know the login request came from a computer near you.
LD: They've called this design "cloud-assisted Bluetooth Low Energy" because it also uses your Google account to notify your phone to talk to your computer. So your phone has to be associated with that Google account.
GT: "Cloud-assisted Bluetooth Low Energy..." oh, I get it, it spells "caBLE." Which is kind of funny, because you can't actually use a real cable, you have to use Bluetooth.
LD: Let's hope they expand this to more websites and maybe more phones soon - since it uses the FIDO standard, it seems like it should be usable outside Google and Android. In the meantime, I'm still carrying my physical security key, because Google isn't the only website I want a strong FIDO second factor for.
GT: Speaking of Google and security keys, you can finally log into your Google account using a security key with Firefox.
LD: Google started supporting security keys before the FIDO and WebAuthn standards were finalized; the FIDO alliance started out as just Google and Yubico, a major security key manufacturer. So Chrome had support for sites that used both the standard WebAuthn login process and the pre-standardized one.
GT: Unfortunately, Google Accounts used only the pre-standardized login method. While you can generally use a security key with either protocol, if you've enrolled a key with the newer one, it won't work with browsers or devices that support only the older one. And in particular, it seems like lots of Android phones that are still in use only support the older protocol, so Google doesn't want to enable the newer one on Google Accounts until enough of those phones have been upgraded.
LD: Firefox tried to work with Google to get them to find a solution to the problem, but eventually they decided that it was unlikely to change soon and it was more important to let people use security keys in Firefox to log into Google. So they've implemented Google's old protocol, too, and it'll be available in Firefox 67, coming out next week.
GT: You know, I appreciate Firefox being this basically independent voice in the browser ecosystem: they're a non-profit, and both Microsoft Edge and Opera are now based on Chrome's code. So it's good, in a way, that they were insisting on only supporting the standardized protocol and not the special Google-custom thing for so long.
LD: Yeah, I'm glad they were trying to lobby Google for it, but in the end there's a significant security advantage in being able to use security keys, and it's probably better that if you use security keys, you're actually able to use Firefox and not just Chrome.
GT: If you're a Firefox user and you hadn't enabled two-factor or you're using a weaker method, you might want to try out the new support and switch to security keys.
LD: So, that wasn't the biggest piece of Firefox news recently.
GT: Oh right! A week ago, Firefox had a certificate expire that had the effect of disabling all extensions and add-ons.
LD: Yup. They fixed it pretty quickly, and there's a full technical writeup by Firefox's CTO, who's also the person who developed many versions of the SSL protocol.
GT: Usually, when a certificate expires, it causes things to fail closed as a security measure: you want to make sure an old certificate and private key doesn't fall into the wrong hands. But in this case, it might have been the wrong direction for security.
LD: If you were using an extension to protect your privacy or security like HTTPS Everywhere or an unwanted content blocker, it got disabled, so you were at higher risk.
GT: In the immediate aftermath of the outage, various online forums had suggestions to disable signature checking for add-ons entirely. While that would have worked, it also would have itself been a pretty big security risk. In the end, Firefox fixed the problem by creating a new certificate with a longer expiration date, and they got the fix pushed out within about half a day. So maybe the better thing would have been to just wait for the fix.
LD: Definitely if you applied that workaround, you should make sure you've disabled it now.
GT: The mechanism they used is pretty interesting: they have a "studies" feature where they can run experiments in Firefox, and those experiments have access to a lot of the Firefox internals. So they built a study to add the new certificate and pushed that out.
LD: This is a fair bit of access, so it's reasonable to be concerned about it. But it's basically equivalent to the access you give Mozilla if you enable automatic updates. And we do strongly recommend you enable those; they keep your system safe from known bugs, and as described in the writeup, it's a pretty involved process to sign a study. So it should be unlikely that someone malicious would get access to it.
GT: Unfortunately that's not always true. Our next story is about exactly that: ASUS, the computer manufacturer, had been unintentionally distributing malware to computers they sold in the form of a signed software update, according to Russian security firm Kaspersky Lab.
LD: Apparently half a million computers got the malware, but it was designed to target only 600 specific computers - it stayed silent on the rest of the computers. So it seems that it was a pretty targeted and more highly-skilled attack than usual.
GT: Maybe I'm paranoid, but I generally don't trust Windows OSes as distributed by computer manufacturers: there's too much incentive for them to pre-install weird software, and they're generally less good at running a software distribution program than an actual software company. Hardware from Microsoft directly, or Apple Macs or Google Chromebooks, is all fine.
LD: We talked about this recently - in our episode "Built-in dangers: phyiscal ports, OS defaults, and remote access," we mentioned that Microsoft now has a "Windows Signature Edition" branding program, where you get just clean Windows without your laptop manufacturer being able to add anything on.
GT: Oh right! Yeah, in the show notes there we also talk about how to "refresh" your Windows install with a tool from Microsoft and get rid of anything that didn't come from Microsoft.
LD: Really, the better takeaway here is not to stop installing software updates, it's to stop installing software from untrusted sources, and maybe be a little more skeptical whether or not you consider your computer manufacturer to really be a trusted source. That said, it's much more likely that someone will get your data or compromise your machine because you're behind on updates than because of the much more sophisticated attack to compromise the entire software update system. Security vulnerabilities that have been fixed in software updates are often made public; a determined but not necessarily very skilled attacker could exploit those public vulnerabilities and get to things on your machine.
GT: Yeah, we think you should consider this story to be a rare but serious fluke in the software update systems and continue to take software updates when they're available so you're protected against known vulnerabilities. If you're interested in reading more about how this fits into the broader software delivery and update ecosystem, Matt Blaze wrote a good piece in the New York Times about it that we'll link in our show notes.
LD: Let's take a quick break before getting to our main segment about keeping your second factors organized and up to date.
Interlude music plays.
LD: Today's main segment is all about two-factor authentication, but if you haven't yet listened to our episode from last year called "Two-factor authentication and account recovery" and aren't familiar with the different types of second factors, you probably want to start there.
GT: But if you're already pretty comfortable using two-factor authentication, you're in the right place - this segment is all about how to make sure you've enabled two-factor where you can and how to track of your second factors.
LD: One of the trickiest things with two-factor is making sure it's enabled everywhere it could be. As we mentioned before, you can look up websites you use at the crowdsourced resource twofactorauth.org to see which two-factor options they support, but if you're like me, you have hundreds of logins and this could be pretty tedious.
GT: I still have a bunch of accounts I rarely use and haven't happened to use since I started using a password manager, and I've gotten into the habit of checking if I can enable two-factor for accounts as I import them into my password manager.
LD: I've also gotten into the habit of checking the settings section of websites whenever I log into an account that doesn't ask me for a second factor. If they don't show an obvious way to enable two-factor, I'll double-check twofactorauth.org to see if the site actually supports it and how to enable it.
GT: Unfortunately, both of our methods here suffer from a recency bias.
LD: Right, I guess there's an argument to be made that you probably care most about the accounts you actually use, but it's possible an account you don't use a lot could become a big security problem, too, if it's in a breach. Some password managers have features for keeping track of your account health; for example, 1Password's Watchtower has a section called "Inactive 2FA" that lets you know which accounts it thinks you don't have two-factor set up for that could have two-factor enabled.
GT: So, 1Password says they pull data from twofactorauth.org to determine which sites allow you to set up two-factor authentication and defaults to assuming you don't have two-factor on your accounts unless you have your second factor set up inside 1Password, which we don't recommend.
LD: Right, as we discussed in our episode "Two-factor authentication and account recovery," that isn't technically two separate factors. The practical implication is, if 1Password ever messes up their security or someone gets into a device where you're logged into 1Password, that attacker might be able to get both your password and your second factor code, which isn't great.
GT: This does provide some protection against someone getting just your password if a website gets breached since your second factor won't be there, but because any way into your 1Password vaults would also compromise your second factor, any vulnerability in any of their apps or their browser extensions or on your computer could result in both your factors being compromised.
GT: I've been a little lax at tagging my accounts as 2FA in 1Password, so I see a lot of false positives, and that's made this tool less useful for me. But it's not just that I haven't gotten around to tagging things - I also have a few accounts where I've thought about whether or not I want to add a second factor and determined I didn't. Some of the accounts Watchtower flags for me are throwaway social media accounts I share access to with lots of people, and they aren't worth protecting. But others are just shared accounts where it hasn't been easy for me to coordinate with the other person who uses it to set up a second factor.
LD: Yeah, there's not really a technical reason you can't allow multiple authenticator apps or security keys, but often websites don't get this right and it's really frustrating. I personally still think it's worth trying to get together with collaborators to scan the 2FA image together, but if you can't, you could still tag the account as 2FA to stop Watchtower or a similar feature in another password manager from continuing to prompt you and also tag it as something like notActually2FA so that you'd be able to find all the accounts you haven't actually set up to have a second factor. In 1Password, you can easily search for things you've tagged, and you could just search for the tag notActually2FA.
GT: Oh, that's a good idea. I might actually make two tags for this: one tag for accounts that I'm comfortable with never adding two-factor authentication to and a different tag for accounts where I'd like to set up second factors if all the people I share that account with get in the same room together. As a reminder, I've thought pretty hard about why that first group of accounts don't need a second factor: those accounts don't have any personal information that I'd be concerned about leaking in a breach, and I also wouldn't miss anything I cared about if I completely lost access to them.
LD: When you say they don't have any personal information, you're including your name and commonly used usernames in that, right?
GT: Yeah, I mean, there's like a novelty Twitter account that doesn't have my name in it. Why?
LD: Well, if I ever lost access to my old Gmail account, even though I haven't sent email from that account in more than a decade, I'd be worried someone else could impersonate me pretty effectively. Sure, people I email regularly know my personal email isn't a Gmail address anymore, and I expect some people would check my website to see what I actually use, but I wouldn't expect everyone to double check since you'd expect that I'd still have control over that account beacuse it has my name in it.
GT: Yeah, that makes sense.
LD: I've also mentioned before that I'm always worried about how accounts and their associated services change over time as companies grow in scope. When Twitter first started in 2006, it wasn't obvious until at least a few years later if it was going to just be this fun, small thing that I casually used with some friends or if the site was going to turn into this really huge social app that journalists pay attention to and it feels like everyone's expected to have an account on - the sort of thing where even if you don't actually tweet, you probably want to grab your username that you usually use so no one intentionally or unintentionally grabs it and starts posting things that you would not want associated with you.
GT: Yeah, I feel like I've seen people expect my usual username, "geofft," to be my username on Twitter and other big sites, but none of the things I'm happy to tag as not-really-2FA fall into that category - they're either things without my username or things for very small sites where it wouldn't be as much of a problem if someone broke in.
LD: I also don't just tag my accounts 2FA when I set up two-factor authentication; I also explicitly tag how I have two-factor set up for those accounts. By the way, if you don't use 1Password like I do, you might not have "tags" field for each of your stored logins, but you can still note which two-factor methods you use in the notes section. Each of my two security keys - the one I use and my backup - has a corresponding tag.
GT: Oh, that's especially useful because you can't see which accounts you've configured by looking at the security key.
LD: Yeah, and that's by design - it makes it a lot harder to figure out what a lost security key can do. I also have tags for which authenticator apps are configured, that is, my current phone's authenticator app and the one on my backup phone. It's nice to know at a glance where I have two-factor enabled, and before, when I didn't have everything with two-factor have a backup method, I could quickly see which accounts I still needed to set up that backup two-factor method for. As we've discussed before, if you don't have access to your primary second factor, the best backup is having an alternate two-factor method available for you. That way, you don't have to deal with the hassle of backup codes and making sure you remember how many of them are still valid for each site. And the way that I tag my accounts in my password manager is a good way to know which accounts have those backup two-factor methods set up and which accounts still need a little bit of work.
GT: Yeah, I do the same sort of thing: I've got tags like 2fa_iphone or 2fa_oldiphone so know which authenticator apps have what, or 2fa_yuibkey or 2fa_sms.
LD: Oh, for the SMS ones, I'll tag them as SMS, but I don't actually tag them as just the tag 2FA in 1Password because I want it to keep prompting me.
GT: So Watchtower will just keep bugging you to add two-factor for them? That sounds kind of non-intuitive.
LD: Yeah it is, but since I've personally already gone through and added two-factor for everything that I think needs one, I don't really have a big list of todo's in my Inactive 2FA list. And whenever I see my accounts that have SMS-based two-factors on that list, I check if those services offer something more secure yet.
GT: While we'd say that SMS-based two-factor authentication is a little more secure than no form of two-factor authentication, there are some availability concerns that might actually outweigh the benefits of that additional security. If you enable SMS-based two-factor, you won't be able to get into your account if you don't have cell service, so if you're traveling internationally or just happen to be somewhere without good cell coverage, you might not get the text messages and could find yourself unable to access your account.
LD: I'm lucky that all of my accounts that only offer SMS for two-factor happen to be accounts I don't need to get into urgently. Back when Instagram only supported SMS-based two-factor, this was fine - I can always share that gorgeous sunset or my selfies later.
GT: But if there is an account you'd need to access and you think you should secure it with two-factor authentication - maybe it's a payment app like PayPal - it's worth thinking about whether you could be using another service instead or as a backup. There are some people I pay using PayPal regularly, and since it's got access to my bank accounts, I do want the added security of a second factor on PayPal, but if I ever was in a situation where I couldn't get text messages and urgently needed to pay someone back, I could use a different payments app instead.
LD: I'm generally not away from cell service too long, and I have a phone plan that allows me to keep my number when I travel internationally, so my ability to get text messages isn't too much of a concern for me, but there is another reason I dislike SMS-based two-factor, too: it means accessing your account has a more or less unnecessary dependency on your phone number. In general, this is another point of failure - just like how using "Login with Google" or "Login with Facebook" creates a dependency on those accounts. If you want to hear more about that, we talked about it last time in our episode "Using a password manager effectively."
GT: I do think that, in general, people are more likely to care about having a working phone and avoiding changing their phone number than keeping a particular social media account, so it isn't quite as bad. Plus, you can usually get a hold of your phone company pretty easily to fix an outage in your service - generally that seems easier than convincing Twitter or Facebook that they incorrectly banned you.
LD: Though, if you're using a cell phone company that doesn't have a good reputation for customer service -
GT: Does any cell phone service provider have a good customer service reputation?
LD: I mean, not exactly, but if you have a regular monthly plan at a major carrier that has lots of stores, you can usually show up in person and get things fixed if you bring your ID. I'd definitely be worried about losing service with Google Fi like that travel blogger did, and I'd be similarly worried about other cell network resellers.
GT: There is one other security concern with SMS-based two-factor authentication: an attacker could social engineer their way into getting a replacement SIM card with your number or port it to another cell phone carrier, and then you wouldn't be able to get your two-factor texts anymore.
LD: This is a generally a very personal attack and it's also probably a pretty unlikely attack for most people - it takes a lot of specific time and energy and doesn't scale well - but whether or not you think there's a specific person trying to get into your accounts, it's still a good idea to ask your cell phone provider for additional protection against both someone porting your cell phone number away and someone getting a replacement SIM card for your account.
GT: Speaking of phones, that reminds me of another two-factor concern - if you get a new phone, do you really need to configure your new phone's two-factor authenticator app to have all your accounts? I feel like I have a handful of accounts in my code generators that I haven't used in recent memory.
LD: Personally, I'm very completist and would probably move them all over because I have so many accounts with two-factor that I use regularly that it kind of drowns out the ones I don't use, so moving the rest of them doesn't really put that much extra time into this process for me.
GT: Mm, I probably wouldn't bother if I don't expect to use an account again unless I'm also planning on selling or giving away my current phone - I think it's fine to have authenticator apps on two old phones serve as your primary and backup two-factor methods.
LD: Yeah, that's probably okay, but there is a worst case where this could turn into a problem - if you keep both of these old phones somewhere secure in your home and, say, there's a fire, you'd lose both. I assume if I was around when this happened, I'd grab my current phone because it's likely already on me, but I probably wouldn't bother grabbing my backup phones.
GT: For any accounts you do want to migrate to your new phone's authenticator app, have your backup phone around because usually setting up a new authenticator app invalidates the old one, and you'll need your old phone around to log into those accounts to change your two-factor settings anyway. Once you're into your account, you'll probably have to scan the QR code with both phones at the same time for both authenticator apps to work.
LD: A few authenticator apps advertise sync as one of their features - either cloud-based sync or a way to export and import your data onto a new device. I wouldn't use that myself, but it is a very convenient way to move everything over.
GT: I think I'd worry a lot about using cloud-based sync, for the same reason I wouldn't use a password manager for two-factor: my password manager itself syncs over the cloud, which I find makes sense for passwords, but I want my two-factor codes to be isolated from attacks that could affect my password manager.
LD: Right, exactly - the whole point of two-factor authentication is that your second factor is separate from your first factor. And in general, sites that offer two-factor authentication are those that care more strongly about security, so it makes sense to be more careful. You can usually reset your passwords via email, which is pretty much a cloud service, so that's why I'm ok with letting my passwords be synced over the cloud by my password manager. This is also part of why I've personally chosen a password manager with a strong security record, and we'll be talking about that more in our next episode.
GT: If your authenticator app lets you sync codes with an export or a backup - perhaps through a backup of your whole phone - you should be very careful about those backup files. Anyone who gets access to them can start generating codes, and you won't be able to tell that they started using them. So make sure to securely wipe your backup files or your export files, especially if they're going through your laptop. We talked about how to securely erase files in our episode "Physical attacks to your computers and disk encryption."
LD: By the way, an image of a QR code to setup two-factor is just as sensitive. Anyone can scan it later and generate two-factor codes for your account. So if you're taking screenshots or photos of those setup QR codes for whatever reason, you should be careful to make those get securely deleted, too.
GT: Oh, yes. Probably the best thing is just not to store them: scan them with your two-factor generator app -
LD: and the code generator app on your backup phone, too!
GT: - yes, and then close the screen.
LD: Oh, that reminds me of another situation where it's worth doing something a little inconvenient: if you're setting up two-factor for an account that's either only or primarily a phone or tablet app, sometimes, those apps will try to detect if you have an authenticator app on the same device, because your phone is probably one of the places you have an authenticator app, and then the app will offer to configure that app they find directly for you.
GT: Oh, I ran into this with Instagram a couple months ago.
LD: Yeah, so I think it's great that they're trying to make an otherwise slightly trickier than average two-factor setup easier for you, but because that automatic configuration handles all the setup for you, it can be difficult to configure an authenticator app on a backup phone at the same time, too.
GT: And like we've said before, the best backup option for two-factor is to have multiple second factors available to you, so with something that only supports setting up an authenticator app once, configuring that an authenticator app on a backup phone at the same time is really key.
LD: Yep, fortunately, apps that try to automatically set up two-factor auth apps for you will typically also have an option to configure it manually or sometimes they call it "the hard way." It probably won't give you the same option to set up via QR code because how would you be able to scan that with the same phone that this app is already on? But it will generally give you a text-based code you can type into the authenticator apps to set it up. To configure both your main phone and a backup phone, just type it into both authenticator apps and press setup at the same time.
GT: Make sure that if you're copying and pasting, that you copy something else to clear it from the clipboard. Make sure that if you're texting it to yourself, you do it over a secure messenger. You know, all of the usual things. I think I've seen authenticator apps that don't have text input - they can only use the camera to scan QR codes. For those, you might need to see if you can use the desktop site to give you a QR code.
LD: Sure, and even if you can type in a code, it might be easier to see if you can set up two-factor via a desktop, so it just does the normal thing and gives you that QR code that's easy to scan with your phone and your backup phone at the same time.
GT: So there's one last two-factor authentication related issue we haven't talked much about yet: some accounts offer code generator based two-factor authentication, but only through their own specific app.
LD: For example, the video game distribution platform Steam will only let you set up two-factor through the Steam Mobile app's Steam Guard Mobile Authenticator.
GT: I'll admit I haven't actually set up a second factor for my Steam account yet, in part because I just haven't thought deeply about their proprietary authenticator app yet, and in part because I don't have too much of value in my Steam account - I don't have any active payment methods on my Steam account, and I only own a few games in it.
LD: The same principles of authenticator apps still apply, but the setup for proprietary authenticator apps like Steam's might be different. One big thing to look out for is whether or not you can set up the proprietary authenticator app on multiple phones at the same time so you have that easy backup.
GT: Right, as we keep saying, the best backup option is to have a backup two-factor method available to you.
LD: In Steam's case, it seems to be impossible to set up their proprietary app on two phones at the same time.
GT: Oof, that means you if your phone got stolen or something, you'd have to use a backup code or talk with support. So you'd need to keep really good track of those backup codes.
LD: Right, and it also would be a problem if you accidentally deleted the Steam Mobile app from your phone because you forgot it did two-factor. Or if you just deleted it by accident - I'll admit that I've accidentally deleted some apps before by tossing an unlocked phone into my bag. And honestly, this is one of the reasons that I keep my authenticator app inside a folder: it's because it's a few more clicks from the home screen to actually get in there to delete it.
GT: If you use an iPhone, you could disallow deleting all apps through Restrictions, but there's not a secure, native way we'd recommend for doing this on Android.
LD: And you might decide that particular restriction isn't worth the hassle because of how you otherwise use your phone. That's why I've come up with this "put it in a folder because it's a lot less likely I'll double click into the folder" as a solution.
GT: Yeah, it's worth thinking about how to protect your usual authenticator app, too. Maybe move it out of the way like Liz does. Because even if you have all of those accounts on a backup phone, it's still probably a huge hassle to go to that phone and restore everything from backup.
LD: Anyway, back to thinking about the proprietary apps, if one of your accounts can only have a two-factor set up through a specific, proprietary authenticator app and one that you can't use on multiple devices at a time, you might still want to set up two-factor for that account if what you're protecting is worth more than the hassle of making sure you don't delete the app. Just like Geoffrey, I only have a couple of very old games in my Steam account, so I ended up not using their two-factor app.
GT: If I needed to secure my Steam account with two-factor, I'd make sure I kept my backup codes in a safe place and familiarized myself with the steps I'd need to go through to recover my account if I lost that in a fire or something.
LD: Another viable but slightly less convenient option if an account like this mattered to you a lot would be to use an old phone for just that app.
GT: I probably wouldn't want to use the same phone as my usual two-factor backup phone because part of why it's a backup is that I don't generally carry it with me, and I would want this phone to be at least somewhat easily accessible.
LD: Right, and also, the idea here is to use this phone as little as possible so that you're unlikely to delete the only instance you of a two-factor app you have for one of your important accounts.
GT: It's kind of like a really clunky security key then... but it would still just be better if they let you use real security keys.
LD: Or a non-proprietary authenticator app that you could set up on multiple devices!
GT: We hope today's episode helps you keep your second factors tidy!
LD: Catch us next time for a discussion of the security model for password manager extensions.
GT: We'll also examine the specific security records of popular password managers and their extensions.
Outro music plays.
LD: Loose Leaf Security is produced by me, Liz Denys.
GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.
LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.
GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.
Outro music fades out.