2FA The Right Way

I used to have a pretty simple password I used in many places. It was just seven characters long. But to this day, it has yet to show up in a password breach. Then I got better with passwords, and I have memorized some pretty complex ones. I now use 1Password to store my passwords. I’ve even gone so far as to enable 2FA via TOTP (Time-based One-time Password) on an app on my phone. That’s a pretty good way to do it, and it’s a pretty big jump and commitment to use 2FA the right way.

What is 2FA?

2FA is short for Two-Factor authentication. That’s essentially a second “password.” The first one is one you probably have memorized, or can quickly reference, and doesn’t change on their own. The second one relies on something you physically have – usually your phone. They would either send you an SMS text message and give you a limited amount of time to enter it, or you use an app on your phone that’s synchronized to a clock and randomly changes your code every thirty or so seconds.

While using a phone for 2FA is pretty good, it has a couple of problems:

  1. Bad guys have ways of intercepting your SMS messages (SIM Hijacking).
  2. If you lose your phone (or phone service), you’re out of luck.

TOTP is pretty good, as it does not depend on your phone number to work. It doesn’t even necessarily require a phone. 1Password supports TOTP, and it’s available as a phone or computer app. That’s still not perfect because:

  1. Someone could trick you into divulging the TOTP code as they sit in front of a computer waiting to enter in those magic six digits.
  2. TOTP starts with an initial code that someone else could get a hold of. I admit, I save that initial code in a secure place, but it is a weak point.

The Right Way to Implement 2FA

Near the top of my tech wish list was to get a 2FA hardware key. But it’s a scary jump to get away from the safe systems I have in place.

2FA Hardware Keys
Security Key image from Yubico

Recently Let’s Encrypt ran a devious promotion: Donate $50, and Yubico will send you a free Yubikey, like one of the ones above. The one on the left is the one I got. It’s the NFC version, so it will work on my phone. It’s normally $27. The one on the right is plug-in only, and runs $20. They’re both awesome. And you need two.

U2F Can Get Expensive…

…but it’s cheap insurance. U2F (Universal 2nd Factor) is the hardware version of 2FA. It can’t be copied, and if you lose it, you will know and can disable that key on your accounts. So that is why you need that second key. Naturally, I didn’t stop there.

The full range of modern U2F keys
YubiKey 5 Series image from Yubico

I also picked up a couple of the Nano keys. Those are the tiny ones on the right. I leave them in my computers all the time. Yes, you might think that’s risky, but I’ll know right away if I’ve lost a computer or the U2F key in it.

Setting Up 2FA The Right Way

Here’s the scary part: committing to U2F. So now you have the two (or more) hardware keys you need. The good news is you can still keep your TOTP active. But you can get rid of them when you feel brave enough to let them go. Here we go:

  1. Log in to your account that supports U2F. There aren’t many places that support it, but it’s still a time consuming process. Since most users have a Google account, I strongly suggest joining their Advanced Protection Program.
  2. Find their 2FA section so you can add your key(s) to your account. Give each key a unique name. I have different model keys, so I named them after the model. Some people sharpie them, or put special key rings on them.
  3. Once you’ve added your keys everywhere you’re going to use them, put one of the keys in a safe place. Many people put them in a safe deposit box. It’s inconvenient, but will be a lifesaver if something happens to that first key.
  4. As soon as you’re confident in your new setup, you can disable your old TOTP if you had that before. They should still offer you some recovery codes just in case.

Done and Done

I did mention that I had more than a couple of keys. My main ones are the nanos that are always plugged in. I keep my NFC key in my wallet. It’s nice and flat, and the keys are extremely rugged. The plain $20 key is my backup that I have stored away in a safe place.

After all this, there’s only one peculiar snag. The iPad Pro isn’t technically supported. It doesn’t have NFC, but it’s USB-C. It turns out my Nano 5C doesn’t work in the iPad Pro. But if I plug in one of my blue keys with an A-to-C adapter, it works. There’s more than one way to do 2FA the right way.

YubiKey on Keychain

I Have Questions

Update: March 20, 2022

I was wondering how secure these really are. Can someone clone this? Is this like TOTP where it has to be in sync? How does this create a unique secure connection?

This wonderful video answered all that: