Sorry to say, but you’ve been hacked
Please excuse this email’s subject line. Did you receive an email like that before? As I wrote a few days ago, I did.
More than a few times. That’s why I see that I use two-factor authentication for every service that offers it. If you do not know U2F (Universal two factor), this means that after providing a service with your login and password, you’ll also need to provide a one-time password (OTP) from a trusted source. This makes hacking into your accounts (for instance through social engineering) way harder. The OTP usually is in your hands and cannot be easily stolen, since this OTP only has a lifetime of a few seconds. Afterwards it’s invalid and a new one is needed.
This works because you can have an app on your phone, that presents you these OTP for your different accounts. This is the way I have done it the last few years.
- Navigate to website or open an app
- Use Password-Manager integration of my OS to access my credentials
- Paste credentials and confirm
- Open app on phone (Google Authenticator) that presents me the OTP
- Copy and paste the OTP into the form field
- Access my account
Well, it’s no wonder only few people use that! It’s a hassle and no fun.
Ok, but there’s a better way. I always try to do things better and more efficiently. And this process surely needed some improvements. What can I say, they were there all along, I just didn’t know! There are hardware devices that can act as your U2F and provide you with the OTP right on time. They come as USB, USB-C and NFC compatible devices (not all in one, though). They can be used with your computer and with your phone (through NFC even with new iPhones). Chrome supports these devices for a few years already. Firefox does support them as well, although you have to enable it yourself!
The steps now look like this:
- Navigate to website or open an app
- Use Password-Manager integration of my OS to access my credentials
- Paste credentials and confirm
- Tap hardware usb key and have it automatically enter and confirm my OTP
- Access my account
Ok, but there’s an even better way! 🤓 I do use 1Password as my password manager (and you should too!). 1Password supports OTP-fields when entering credentials. You can scan the barcode using 1Password when setting everything up. Now 1Password completely takes over the second factor:
- Navigate to website or open an app
- Use Password-Manager integration of my OS to access my credentials
- Paste credentials and confirm
- 1Password automatically copies the OTP to my clipboard and
- I just paste and confirm again
- Access my account
While this seems like on step more than the hardware key thing, I do like it very much. It syncs across your device, works on all OS’s and you don’t have to fiddle with a small USB/NFC device. You can’t forget it somewhere, because that would endanger your accounts very much…
The U2F devices have other benefits as well though: You can use them to sign your Git commits with them to make it cryptographically unfeasible to tamper with them. This shows as “signed commits” on GitHub.
If 1Password isn’t your thing, there are other managers as well. I bet they implement it in very the same way. If you have other recommendations or experiences, please let me know.
Now go forth and U2F all the things!
Holger