Two Factor Authentication

This month we’re talking about twofactor authentication (TFA) or as it’s sometimes known, two-step verification. What is it and why do you want it?

You’re probably already using it on some sites, perhaps even without knowing that’s what you’re doing. Whenever you attempt to log into an account, such as Gmail or Amazon after a long period, you may be asked to type in a numeric code that you receive by SMS text message. That’s usually done after you’ve already provided your username and password. The text message is the second step.

In TFA parlance this is known as a possession factor. Without getting too far down the security rabbit hole, and rest assured there is no bottom, there are several ways to verify that someone is who they say they are. There are knowledge factors (e.g. username and password,) possession factors (e.g. mobile device,) inherence factors (e.g. fingerprint,) location factors (e.g. IP address, GPS location,) etc. Most of the time only you need to provide one of these (AKA one-factor authentication,) but there are environments on the internet where the information is important enough or sensitive enough that you would be better served by TFA.

As mentioned above, a relatively common method for TFA is to send you an SMS text with a numeric code which you have to type in, but this is not as secure as it should be. That’s because the cell network distributing those text messages has a few flaws. If you’re not working for a national spy agency you’re probably okay, but in the interest of ‘better safe than sorry’ I’ll demonstrate another way: the use of an authentication app.

I use the Google Authenticator App (GAA) available from iTunes or the Play Store. Download it and install it on your phone. You can also use an app called WinAuth (https://winauth.github.io/winauth/) from your desktop in Windows. The steps to use WinAuth are quite similar to the Authenticator App so I’ll skip those. I’m going to show you how you setup TFA for Facebook.

Make sure you have everything ready before you start:
GAA installed. Start it up and choose Begin Setup.
When asked approve its access to the camera. As well, have handy all the devices that you use for Facebook.com.
Go to Facebook.com and log in. Click the q in the upper righthand corner then Settings. Click Security and Login.
Find Use two-factor authentication and click the Edit button. Click Get Started. Choose either Text Message or Authentication App. I’m choosing Authentication App.

At this point, you’ll be presented with the TFA screen containing a QR code and an alphanumeric code. They are two representations of the same thing. In the GAA choose add and Scan Barcode for each of your devices. Point your camera at the QR code. An authentication entry with 6 digits and the name Facebook should be added to your app. Note if you’re using WinAuth on the desktop you’ll need the alphanumeric code, so you’ll want to copy it and keep it safe. (In your KeePass file for example.) If you watch the GAA app now you’ll see that the six digit code occasionally changes colour to red and then changes to a new code. That authentication code expires every 30 seconds and a new code is generated.

Back in Facebook click Next. You’ll be asked to enter the code you see now. Do so. Facebook should respond with Two-Factor Authentication is on. You can always turn it off if you want.

I do recommend setting up your phone number for text message authentication as well because if you should lose your phone your GAA entry will be lost too. Unless you saved the code in KeePass or some other secure location.

Okay, now, all this won’t prevent your Facebook from being compromised by you opening phishing emails and what not, but it will make it much more difficult for someone to log into your Facebook
account should they get your password somehow.