Category Archives: 2FA

Take it to eleven with two factor authentication (2FA)


In a prior post I talked about how your need to up your game in terms of password management. In this post I will talk about taking the management of your online identities to the next level.

I’m not going to dance around on this issue – in addition to a solid password management strategy, you really should be using two factor authentication (2FA, or sometimes U2F) whenever possible. This essentially means that that in order to access a resource (such as your email or a web site) the “first” line of authentication is a password, and an additional and unrelated method is the “second” form of authentication.

Some common examples of 2FA include, in roughly ascending order of security:

  • Security questions (example: what was your high school mascot?)
  • Sending an email to you with a onetime use code.
  • Send a text message to your cell phone with a onetime use code.
  • A code generator application.
  • Voice recognition / Face recognition

The security question method has been around for several years. The weakness of this system is that there are a limited number of questions in the world. These types of questions are easily “socially engineered”. For example, “what was your high school mascot?” adds a false sense of security given that this information can be reverse engineered for most people with a profile on LinkedIn, FaceBook, and other social networking web sites. In addition, if you have unique question and answer combinations that you use, and those become compromised, you are vulnerable and may not even realize it. (One idea that a friend of mine employs is to use fake personal data, including his birth date, where he went to school, and a whole host of fake questions and answers. He has a good time celebrating his “fake birthday” every year, but I’m honestly not sure how he keeps track of all that information).

The email method has numerous weaknesses, including but not limited to the fact that email is itself fairly insecure. Many hacks start with taking over an email account, and then doing password resets (which send the reset to the email address of record). If you lose control of your email account, it can be chaotic process to get control back.

The use of text messages to cell phones have become popular as a means of 2FA. Please know that there is a risk associated with this. Cells phone accounts have a number of vulnerabilities, the most serious of which is called a “cellphone hijack”. In this scenario, someone uses social engineering to take over your cell phone, and then use 2FA to access your accounts.

The most secure and widely used method of 2FA is the password generating application. This is sometimes in the form of a small device you carry with you (companies like RSA SecureID and Symantec VIP Access have been providing this service to corporations for years). This is sometimes in the form of a proprietary application that is tied only to that one service – for example Yahoo!, GMail, Salesforce, and Facebook all have authentication applications tied directly to their service. There are also multipurpose applications that will enable you to use 2FA across a wide spectrum of services. Two of the most widely used examples of this are Google Authenticator and Authy (although there are numerous others). The basic premise is that a unique code is generated (and constantly recycled) that is unique to you and your device. It is much hard to hijack this type of 2FA.

There is a 1984 movie called “This is Spinal Tap”. It was one of the first “spoof documentaries”, and chronicled a hard rock band. There is a memorable scene in which one of the lead characters discusses the amplifiers that they use, which have a unique feature: volume nobs that go to 11 instead of the normal 10.

I realize that it is a goofy clip, from a goofy movie. What I’m hoping is that the reference is just memorable enough to drive home this one idea: it is time for you to up the level of your online security. It is time to take it to eleven with 2FA.

Your Password Stinks


I have bad news. I hope you don’t take this personally. Your password (probably) stinks.

Let’s face it, passwords are a major pain to keep track of. Every web site that you visit will ask you to create a new user id and password. It quickly becomes daunting.

For simplicity, I’m going to use the pronoun “we”, since I am just as guilty as your are.

The most common crutch that we use is “reuse”, i.e. we use the use the same password. Again. And again. Rinse, lather, repeat. The problem with this approach is that once that password becomes compromised, the bad guys may have access to your bank accounts, your investment accounts, your online shopping accounts. The list goes on. Anywhere that you used the same combination of user id and password, you are vulnerable. Assume for sake of argument that you have a Yahoo! email account that was compromised. (Oh wait, that actually happened.) Now the hackers have a combination of user id and password that they can, with minimal effort, try to use on an infinite number of web sites.

There are other crutches that we use: we write down our passwords (don’t do this!), we use short passwords (it turns out that the longer the password the better; 8 characters is good, 16 characters is really good), we use personal information in our passwords such as a child’s birthday or the street we live on (stop doing this), we use words that you can find in the dictionary (definitely don’t do this), we never change our passwords (you should change your password regularly). The list could go on and on.

I am speaking from personal experience. Full mea culpa: I used the exact same user id and password for years. I used it on name brand websites such as Yahoo! Mail. I used it on fly by night websites where I thought to myself “this web site probably won’t be here a year from now”. I’ve used it for eCommerce transactions on web sites that I assumed I would only visit once in my lifetime. Eventually this behavior came back to haunt me. Someone used those reused credentials on an eCommerce site, and ordered themselves a laptop. I had forgotten that I even had a login to this particular web site, so you can imagine my surprise when I received an order confirmation email for a new laptop. When I went to go and reset my password, the web site actually sent me an email with my “old” password. This was painful confirmation that it was the same user id and password that I used…everywhere. (I would later estimate that I had used the same user id and password over 50 times.)

There is a better mousetrap. A relatively simple way to overcome your stinky password habit, which is to use a password management system.

There are 2 primary functions that these services provide: first, they are a master repository of your passwords, and secondly, they allow you to generate long and completely random passwords.

I have used LastPass for several years (ever since the hacking mentioned above). There are a number of other well regarded services such as 1Password, Dashlane, RoboForm, and others.

There is one final gotcha with password management systems. You need to create a “master” password to get into that system. Some of these systems add extra security by having no password recovery mechanism for the master password. If you forget your master password, you are completely locked out. The method that I have found to work is to have a long pass phrase, that only you know, and that you abbreviate into the password. For example, you can start with a quote such as “If not us, who? If not now, when?” You might turn that into “if<>Uwif<>Nw?3000”. The key is to make it personal, something that you will remember, but that is impossible to guess.


There is no other way to explain it, you simply need to do a better job of creating and managing your passwords. We often use shortcuts of various forms to help manage our passwords, to our own detriment and peril. Know that here is a better way. A password manager can help.