![]() It can verify authentication with a button press instead of manually entering a short code. It’s a small card-like device with one end that slots into a standard Type-A USB port. Yubico’s YubiKey is a hardware-based 2FA solution. Yubico Authenticator Image: FIDO Alliance The downside of using a security key, however, is that if you ever lose or break your key you could be locked out of your accounts-and you’ll have to switch your second-factor authentication method to a new key. In the Google study I mentioned earlier, it found that security keys blocked 100 percent of bulk phishing and targeted attacks. The absolute safest way to lock down your accounts with two-factor authentication is to use a physical security key. If you’re new to 2FA this might not be the app for you unless you’re prepared to take proper steps to ensure you never lose access to Authy-like writing down your passcode and storing it somewhere safe. How you regain access to each account depends on each service’s account recovery policies. If you forget your passcode you can get locked out of your accounts since you won’t have the 2FA codes. That means your passcode is the only way to decrypt them, and Authy doesn’t have it on file. Authy says your backups are encrypted based on a password entered on your smartphone before hitting the cloud. Multi-device access to your 2FA codes is awesome, but it does come with a drawback. ![]() ![]() There’s even a Chrome app for Chrome OS users. That way when you log in to any Authy app, be it on your smartphone, tablet, or Windows or Mac laptop, you’ve got access to your codes. To use this feature you have to enable encrypted backups first, and then your tokens are stored on Authy’s servers. These sites include LastPass, LogMeIn Pro/Central, GotoAssist, LogMeIn Rescue, Xively.Īuthy’s free service aims to solve that problem by storing all your 2FA tokens-the behind the scenes data that makes your 2FA codes work-in the cloud on its servers. LastPass Authenticator also integrates with several sites owned by the password manager’s parent company, LogMeIn, to offer a similar type of one-tap login. The extension receives this information, provides it to the website, and the user is logged in. The user taps Allow on the phone, and a confirmation message is returned to the extension that includes the required 2FA code. It may all seem rather mysterious, but here’s what’s going on behind the scenes with one-tap logins on third-party sites. When a user logs in to a compatible site, the LastPass browser extension sends a push notification to the user’s phone, which alerts the user that a login is being requested. These one-tap logins are browser specific so if you one-tap log in on Chrome you will have to log in again if you use Microsoft Edge, for example. That means you must have a LastPass account, but a free one will do. To use one-tap notifications you must have the LastPass extension installed in your browser and enabled. One-tap logins work with LastPass itself, and also with five third-party sites including Amazon (not including AWS), Google, Dropbox, Facebook, and Evernote. LastPass has a video on YouTube demonstrating the feature. LastPass’s free authentication app uses a feature called one-tap push notifications that lets you log in to select sites on PCs with a click instead of entering codes. LastPass Authenticator: Runner up LastPass One notable exception is Steam, which provides a homegrown 2FA option in its mobile app. Software optionsĪny service that supports the standard OTP 2FA approach will work with all of the apps below, and that includes most mainstream websites and services. The fact is, using a software- or hardware-based 2FA solution on a device you own is a great way to protect your account, and far better than simply using SMS. ![]() So while this study didn’t mention 2FA apps specifically, we expect the results would be the same as, if not better than, an on-device prompt. App-based two-factor authentication is similar in that the second step is generated on the smartphone itself. That’s not bad protection, but Google’s on-device prompt strategy (we’ll cover this later) was even better, blocking 99 percent of bulk phishing attacks, and 90 percent of targeted attacks. The trio found that SMS authentication blocked 96 percent of bulk phishing attacks, and 76 percent of targeted attacks trying to crack into your Google account. In May 2019, Google announced a one-year study it did in partnership with New York University and the University of California, San Diego. That said, SMS authentication is still far better than nothing. If you decide to get your 2FA codes via SMS, for example, the code could potentially be intercepted by hackers, as researchers for Positive Technologies demonstrated in 2017. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |