2FA and tips

What is 2FA ?

2FA stand for 2 factor authentication which….. yeah this isn’t gonna be the same as every other 2FA article out there. Assuming you already use a 2FA app, this article will help give tips and enhance your online security. In case you don’t know 2FA is, have a read of this Discord Article on Securing your account with 2FA. This covers the basics and is mostly applicable to any online service / website that allows you to add a TOTP 2FA to your account.

Things you should know about 2FA …

The most common type of 2FA is a Time based One Time Password (TOTP) which generates a 6-8 digit code every 30-60 seconds (varies based on settings)

The QR code contains the 2FA key, also referred to as the token, secret, or seed. Along with that some applications also include the application name and email associated with that account in the secret in the QR code when enabling 2FA.

1. When enabling 2FA key the QR code / secret seed that you need to input into the 2FA is “permanent”. If you enable 2FA and save the QR code / 2FA key you can input it into any 2FA app in the future and it will give you the same TOTP codes.

2. In the same manner, you can input the 2FA secret seed / scan the QR code in multiple apps and they all will generate the same 2FA codes.

3. You can use almost any 2FA app, even if the service you’re enabling 2FA for tells you to use Google Authenticator (like the image above)

4. Some apps will allow you to export the 2FA, this allows you to migrate to another app.

Knowing these 4 facts you can improve your online security in a number of ways.

Better Backups & Multiple Backups

First tip is to take better back ups. Most services will provide you with multiple one-time use back up codes after you enable 2FA. ALWAYS SAVE THESE BACKUP CODES. Majority of services will not let you access your account or disable 2FA if you lose access to your 2FA method and back up codes. Here’s some ways to save your 2FA back up codes, ordered from least secure to most secure.

1. Save in a text file on your computer

2. Save in a text file on a different device

3. Create a brand new email account, save it as a draft email

4. Create a free Bitwarden account, save your codes there

5. Print out or hand write your back up codes and keep it somewhere safe

You could also opt to save your 2FA key itself in multiple ways. Here’s a few ways in no particular order

• Take a screenshot of the QR code or 2FA key (let it sit in some folder)

• When enabling 2FA using one authenticator app, simultaneously scan your 2FA on another app. The codes will always be the same and in sync

• Create a Bitwarden account and save your 2FA key in a secure note

Saving the QR code, as opposed to just the 2FA key, is less secure as it will give usually details of which account the 2FA key is linked to. The 2FA key on its own gives no such information (usually). You can always try this out by scanning the QR code in an authenticator app.

Keep in mind the more backups you have, the less secure you are since there are more “access points” to your 2FA.

Which 2FA apps to use

This one is personal preference. But I will say stop using Authy and Google Authenticator. Are they bad ? Not at all. Just some little annoying things. Authy feels like it hasn’t been updated since 2008. The desktop app is sub-par and their apps have one of the oldest UI / UX I’ve seen. Doesn’t help that Authy has been hacked in 2022. Google Authenticator is the most popular 2FA app which is concerning since there’s quite a few security concerns and lack of encryption with google authenticator.

The quote above is relevant to all things security. You may be tempted to use an app like Authy which has a desktop client, but if your laptop ever gets stolen, the person can have access to all your 2FAs. Authy uses your mobile phone number to use your account which also makes it possible to lose access to your 2FAs if fall victim to a sim swap attack. Here’s a few of the (better) alternatives to Authy and Google Authenticator.

2FAS is an open source authenticator app for android and iOS. It has cloud backups, allows you to import directly from Google Authenticator. You can set a pin to unlock the app and export your 2FA keys in a password protected encrypted files as an offline back up. They also have a browser extension so you don’t need to manually type the 2FA code but still need to “approve” to copy the 2FA code on mobile (most secure and convenient in my opinion)

Raivo OTP is the best iOS only OTP app out there. It also has a mac app to instantly copy OTPs. Open sourced, cloud backup and encrypted offline backup, PIN locking the app and more!

I personally use Step Two. It is one of the most beautifully designed 2FA apps and is the only paid application on this list. It costs 10$ one time. It has mac, iphone and apple watch app (perfect for those in the apple ecosystem). You can export your 2FAs, however the app does not offer locking the 2FA app like others on this list.

For android users Aegis seems to be the best open source 2FA app. It encrypts all of your tokens at rest and requires a password or the touch of a finger to decrypt them.

Last but not least, if you use a password manager, most good password managers allow you to use 2FAs in them making it easier to access and autofill with the downside being both your passwords and 2FAs being in one app.

Not an app but one could use a Yubikey as well to store 2FAs. The Yubikey is a physical device which stores the 2FA. Just like a house key, anyone with a yubikey get access to 2FAs. But since it is something physical it is impossible to get “hacked”

Hope you learned something useful!

For any feedback or if you need any help feel free to join the Discord, fill in the contact or simply reply back to this email.

This was actually long. If you made it to the end, you a real one!
- Daksh