I already explained to you in a previous post how passwords have become a very important aspect of our digital lives. I told you how to build an effective password and how to use Bitwarden to store them without losing our minds. We should have solved the password problem for good, right? Right! Sorry to disappoint you, but there’s still one more step to take: enable two-factor authentication.

What is two-factor authentication

When we log in to a website we are authenticating ourselves on that site, meaning the site is trying to figure out if we really are who we say we are. In almost all cases, recognition is done through the use of a username and password. As we have seen passwords are insecure and some of our behaviors1 make them even less secure. To try to solve this problem we thought to recognize users not only through the knowledge of a password, but also through an additional factor.

This second recognition factor can have different natures. Surely you have used a 2FA to access your web bank. In this case, after logging in with your username and password, you are asked to confirm access with a code generated by a token or received by message. Lately another popular way is to confirm the access through another device such as a smartphone. In all these cases you are using two-factor authentication or 2FA.

By now it should be clear to you that there is no single way to implement 2FA, but there are several solutions available. One of the most popular ones is the use of a temporary code called OTP (one time password). Many services allow the user to generate the code autonomously through special applications. In other cases it is necessary to use proprietary applications (a big pain), to receive the code through SMS (surely the less secure solution) or through special hardware (probably the best solution from the security point of view, but that involves a cost for the purchase of hardware).

On digital stores there are certainly several applications that allow you to generate OTP codes. Among the most popular, and often recommended when activating 2FA, are:

Some of these apps are more problematic than others, but they all share a pretty big problem; they are closed source. Since there are good, free alternatives for both mobile operating systems I see no reason not to use them, so below are my suggestions.

You don’t like my suggestions, that’s okay, go ahead and use one of the apps mentioned above the important thing is to use two factor authentication.

How to enable two-factor authentication

Of course, there is no universal process that can be applied to all existing sites, but usually the steps to follow are always the same. The first thing you need to do is to locate the page through which you can enable two-factor authentication. Generally this configuration can be enabled in the account security section. In case of problems usually a search like “2FA site-name” should solve any doubt.

Once you start the configuration procedure you will be shown a QR Code with the necessary information to generate the temporary codes. You can scan this code through the 2FA app you previously downloaded. This procedure will automatically retrieve all the required fields. Generally you can also edit these fields, but if you don’t know what you’re doing it’s better not to touch anything, except for the icon associated with the service. Well, at this point your application is able to generate OTPs.

Adding a service on Aegis

To confirm the activation of the 2FA you have to go back to the website and enter the code generated by the app in the appropriate field. Remember, the codes have a short duration (usually 30 seconds), so in case of problems make sure you are entering a valid code. If the problem persists repeat the process. Well, you’re done, now when you log in again on the site in addition to username and password you will be asked for the temporary code generated by the app.

The importance of backups

If you’ve followed this guide carefully now you should have a question in your head: “What if I don’t have my phone with me, what if I lose it, how do I log in? The answer is simple, you can no longer log in2. I know, I know, you don’t like this answer at all, but don’t worry a solution exists and it’s called backup.

Backups can be performed at two different levels:

  • at the web service level
  • at the 2FA application level

In the first case, the web services on which you have enabled 2FA provide you with backup codes. Each code can be used only once and allows you to log in without having to use the OTP code generated by the application. To generate the backup codes you generally do not have to perform any specific actions as they are generated at the same time as the activation of two-factor authentication. Your only task is to copy these codes to a piece of paper and store them in a safe place.

In the second case, you have to take care of backing up the application data for generating OTPs yourself. By having a backup of the app data you can reconfigure it on another device without incurring data loss. All the apps I have recommended have a wizard to generate backups and make your life easier. Again, it is important to keep your backups in a safe place.

Which of the two solutions to choose? Well, the best choice is not to choose and use both solutions so that you have a double backup and further reduce the risks of being locked out.

  1. Yes I’m talking to you that use only one password for all your services. ↩︎

  2. Contacting the support of some web services you can ask to disable the two-factor authentication for your account. This mechanism in an emergency can be a godsend, but it basically goes to reduce the effectiveness of 2FA. ↩︎