Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!
Why Use Multifactor Authentication?
I have been a big proponent of multi factor authentication for quite a long time. I believe that using 2FA (Two Factor Authentication) adds an extra layer of security that we all need. I use 2FA on as many sites as I can, as well as installing it on my own blog. My logic is fairly straight forward. If someone tries to hack into my accounts, they may be able to get at my and username and password, but unless they wish to take my phone away at the same time, they are unlikely to be able to hack my accounts (now that I have said that, I'll most likely be hacked).
Authy and Authenticator
I switched from Google's Authenticator app to Authy so that my 2FA tokens would be backed up in the cloud. In this way I wouldn't have to go through disabling all my 2FA accounts when I switched phones. This was a real draw. I was easily able to switch applications. I created a backup password that I would need to use in order to decrypt the Authy tokens when I changed phones. Every so often Authy would prompt me to enter my backup credentials to make sure I would remember them. After a while I fell into the trap of ignoring this message, dismissing it without entering the password.
Everything was running along smoothly until recently when I had to get a new phone. My phone was run through the clothes washer - it was very clean, but would not turn on (I didn't even try until I had left it over night, buried in rice). So off to the store to buy a new phone I went, and ended up with a Samsung Galaxy S8. Almost everything was able to download to the new device, except that I had to put in all the new settings. (still not finished) That is when I discovered I was unable to access my Authy tokens, because I had forgotten the backup password. Authy support, although very understanding, couldn't help because they don't store the backup passwords in plain text.
I was eventually able to get into all my accounts, and either disable and re-enable 2FA, or use a different token to gain access and change the 2FA code. I would like to put these tokens in Authy again, but so far I have been unable to delete my account in order to do so. Right now they reside in the Google Authenticator app where they are not being backed up, although I did generate a new set of recovery codes in case I am unable to get access to my phone.
UPDATE: I was finally able, with the help of Authy support, to delete the encrypted Authy tokens and create new ones. I now have the backup password stored in a safe place.
The take away:
So the question most people ask now is "If it is so much trouble, why do it at all?" The answer is easy. If you don't use multi-factor authentication you could have your email, and other accounts, more easily compromised and become another John Podesta. Yes, two factor authentication does involve another step. Yes, it does involve some setting up to begin with. But you have to ask yourself one simple question, what is "not getting hacked" worth to you? For instance, is it worth a little setup time and a fairly short delay when logging in? I believe the answer has to be Yes.