What is 2fa18 Jul 2017 | 7 mins reading time
If you are reading this that means that you probably have no idea what “2 Factor Authentication” means –we geeks call it two-eff-aye “2fa” for short. Since you are reading my blog you are probably trading (hopefully holding) cryptocurrencies and keep seeing the term “2fa” when you register for exchanges. Or maybe you are just looking for more ways to stay secure online and heard some of your friends talking about it.
Regardless of the reason, you’ve come to the right place. In this post I will do my best to explain what 2fa is and why its important. My wife will be editing this blog post to make sure that its written so that people who didn’t have LAN parties in high school will be able to understand.
Something you know
When my wife and I were planning our wedding, she told me that on the wedding day she needed something borrowed, something blue, something old, and something new.
“It’s for good luck” she told me.
2fa is kind of like that. Only instead of good luck, it’s to keep you from being robbed, and you only need 2 things: something you know and something you have.
When you log into Facebook to share this blogpost with all of your friends you use “something you know” to sign in: your password. The problem with passwords is that they tend to get written down on post-its or worse. How much worse?
Ask the folks from Sony.
The hackers that got into Sony’s computers a few years back found over 100 password files with names like “passwords.xls”. These files made it easy for the hackers to gain access to accounts that Sony employees controlled -social media accounts, emails, etc.
Although you may not be the scale of Sony, if you are keeping password files on your computer you’re at serious risk.
Let’s say, for example, you have saved your Coinbase password in a “passwords.xls” file because you “don’t want to forget it”. If someone gains access to your computer, they are just one “passwords” search away from accessing your Bitcoin & Ethereum stockpile.
“But Jimi” you may be thinking “Coinbase requires me to approve login requests from new IP addresses”. Well if you are using your Coinbase password for your email account the hacker could just log into your email and make the approval. They also can change your Coinbase and/or email password so that you no longer have access.
When this happens it’s kind of like when in Jurassic Park Newman locked Samuel L Jackson out of his own computer system. It’s called getting “0wned”. And it sucks. So don’t let it happen to you.
Tip: Don’t use the same password for every site. Install something like LastPass and use it to generate different passwords for every site. Here are some tips on creating a good password to lock down LastPass.
In this game there are no refunds
“But Jimi” you may be thinking “if my Bitcoin gets stolen, I can call Coinbase (or whoever) and get it back just like the bank.”
Right now the cryptocurrency world is doing well and everyone in the market is very excited. It’s like West World where it seems like the bullets from the guns can’t hurt you… but that’s far from reality.
If you are trading cryptocurrency right now you are really in the Wild West.
Bandits can and will take every Bitcoin you have without leaving the confines of their home office. They can do this anonymously which means that the chances that they will be caught are very low. Even if you do report the theft to the authorities, they probably won’t know where to start investigating.
Something you have
As stated above to minimize the risk of getting owned we add another factor the “something you have”.
There is an application that you install on your phone called “Google Authenticator”. Once installed you set it up with each site –Facebook, Coinbase, Poloniex, etc. Then the authenticator generates a unique “One Time Password” (OTP) every 30 seconds for each site. Since this OTP is generated fresh every 30 seconds that means you need to HAVE the device to sign in. Authy is another option.
IMPORTANT When you set up the authenticator on each site you will receive a KEY or a BAR CODE, copy it down on a piece of paper (or print it out) and put it somewhere safe. DO NOT save this on your computer. If someone gets this code, they can put it on their phone and generate your OTP. This means they will have what you have making this whole exercise useless. Also, if you LOSE your device and don’t have the KEY/ BAR CODE, you will be LOCKED out of the website. So be very careful.
How are these codes generated?
One of the questions that I had, when I first found out what OTP was, is “how does it work without talking to the server?” The answer turns out to be fairly intuitive.
The key that I asked you to write down above is shared between the device and the server. On the server, this key and the current time are run through a bunch of fancy math to generate the code. Your phone is also doing this fancy math at the same time as the server so these codes should match. When you send the code to the server it compares your code with the server code and if they match the something you have is verified.
I see there is a setting to send me a text message code instead of setting up an authenticator. Isn’t that good enough?
Nice try. The bandits in these waters are very cunning. There have been many cases of hackers calling cellphone providers and convincing them to change your cellphone number to a different phone.
How do they do this? Its called social engineering and looks like this:
I know that setting up an authenticator seems a bit like a pain but the added protection is worth it.
Ok I’m setup with 2fa and a secure password am I completely safe?
So there you have it, the basics of 2fa. Reading back through this makes me think that I may have instilled a false sense of security so let me leave you with one final thought.
Much like in the physical world, it is very hard (probably impossible) to be completely secure. If you lock the deadbolt on your front door when you go out on vacation that doesn’t prevent a robber from throwing a brick through your front window and stealing your TV.
The point with locking your door is to make the cost of trying to get to the TV higher –hopefully too high to justify the risk.
Assuming that the robber has scoped out the place and found out that nobody is home, the cost of walking up to the door, turning the knob, and gaining access is low compared to finding a rock heavy enough to break the glass. Moreover, if a rock is easily accessible and the robber throws it through the glass the cost could be jail time, if one of your neighbors hears a noise and calls the police.
The robber would need to run this calculation –and probably decide that it isn’t worth it.
In the digital world having a password is the equivalent of locking your doorknob and adding 2fa is like locking your deadbolt.
You are making the cost slightly higher so that an opportunistic “passwords.xls” may turn up a password file (hopefully not after reading this post) but the requirement of a 2fa code makes the hacker run a mental calculation to make sure its worth it to escalate to the digital equivalent of throwing a brick.
I’ll leave digital brick protection to another post though.
Tags: security, cryptocurrency, and guides