Besides using long, random passwords (and using a password manager to help you remember those passwords), one of the best ways is to secure your account with Two Factor Authentication (2FA).
Two factor authentication uses something you know (like a password) and something you uniquely have (like your iPhone). In most cases, when you use 2FA, after you log in, the site will send a six digit code to your cellphone. This code must be entered into the site before you can completely log into your account. Apple makes this easy by looking for these codes in Messages, and letting you quickly paste them into the field.
There’s two problems with this. The first, it assumes your cellphone number is uniquely yours and no one else will ever have it. Hackers have been known to trick cellphone carriers into moving your phone number to a device they control. Suddenly, they can use your phone number to take over various accounts.
The second is that it makes accounts hard to share. My bank uses 2FA, but my wife and I have to share the same account. When she logs in, she had to text me to get the 2FA code that’s sent to my phone.
There’s another and more secure way of using 2FA, this uses a time based algorithm to generate that 2FA code. In the old days, you would have a physical 2FA key that would display a new six digit code every 60 seconds. The algorithm used in this device was also used in the server. Thus, both you and the server knew the code. You would have the password (something you knew) and the physical key (something you have).
These physical keys are still around, but programs like Google Authenticator can now emulate these physical devices. If you download Google Authenticator, you can use 2FA without relying on SMS text messages.
I’ve been using 1Password almost since it came out. A few revisions ago, 1Password got the capability to be a 2FA key generator. One of the things I now notice is that 1Password warns me if a site uses 2FA, and I don’t have it setup. Sort of pushing me. It also has a type of field called One Use Password that I found out is for 2FA.
However, I didn’t use 1Password or app based 2FA because I worried it would be too complex, and I might end up locking myself out of my accounts. After all, Apple’s use of copying and pasting the SMS 2FA codes made using SMS based 2FA simple. I also worried I might lock myself out of my account if my 2FA didn’t work. Besides, these sites tell me I can use Google Authenticator. Can I use 1Password too?
It turns out that the algorithm to generate the 2FA time based codes is open source. You can use hundreds of authenticator apps. Plus, there was my bank account where my wife has to text me whenever she logs in.
I decided to try 1Password with its built in 2FA, and found an account that uses 2FA (according to 1Password), but isn’t that important.
I went into Security Settings and selected to enable 2FA. Immediately, I ran into an issue: I was supposed to scan in the barcode. How do I scan a barcode that is displayed on my iPhone with my iPhone. Do I need to do setups via my Mac, and then scan them into my iPhone?
Fear not! Below the QR Code was Can’t scan the barcode. Clicking there gave me a URL to paste into 1Password. I created a One-Time Password field, and pasted it in. Saving the entry in 1Password gave me a six digit countdown code that changed every 30 seconds.
The site asked me for this code, so it verified that it worked before setting 2FA on my account. Entering this code and my 2FA was setup. It was fairly simple. The most comple part of the process was determining where 2FA is set.
Using time based 2FA can’t be easier. When I am using Safari, 1Password automatically pastes the 2FA code into the correct field. 1Password also copies the 2FA code into the clipboard in case it wasn’t automatically pasted in to the field. And if all else fails, it’s not hard to bring up 1Password in the share sheet, and copy the 2FA code.
My only regret is that I didn’t do this earlier. Using 1Password with time based 2FA codes is easy to do and simple to implement. It adds extra security to your accounts without a lot of additional hassle. The hardest part of the process was trying to find the setting to setup 2FA for a particular site in the first place.
It’s actually even easier on the Mac. 1Password brings up a scanning screen for those QR Codes. When you create a One-Time Password field, a translucent window comes up, you place it over the QR Code, and 1Password automatically pastes it in for you.
If you’re not using 2FA, go to 1Password and look for all entries with a 2FA tag and set them up. This is especially true if this is a financial site.