What’s this 2FA?
In light of the recent Heartbleed vulnerability in the OpenSSL cryptographic library (which allowed unscrupulous people to capture usernames, passwords and other sensitive information from seemingly secure websites – all these years of saying “look for the padlock” when there was actually an unintentional back-door) I wanted to draw your attention to a feature of many modern websites that adds an extra layer of security in an age where we are entrusting more of our personal and financial data to the internet.
Two-factor authentication (or 2FA for short) prompts you to enter a unique, random code in addition to your password when logging in – the advantage of this is that if your password is compromised, the “hacker” would need access to your chosen 2FA-enabled device (e.g. a smart phone or desktop PC) as well to do anything meaningful.
There are a couple of options for setting up 2FA, the most secure is by running an app on your smart phone, there are variants for the major platforms, but you can also run a 2FA client on your desktop operating system, again there are variants for Mac, Linux and Windows to suit your needs.
The most popular variant of a 2FA client is Google Authenticator, most widely used to secure access to Google’s myriad of services, it has been embraced by other services as a way of adding that extra layer of security to sites. The “Authenticator” client is available for iOS, Android, Windows Mobile and Blackberry via their respective app stores.
If you don’t have a smart phone, or want the convenience of a desktop variant, you will be well served by JAuth (Mac, Linux, Windows – as the name suggests, the “J” in JAuth means you’ll need a recent Java Runtime Environment to run the application – most OS’s should have a JRE installed, if not, visit Java.com to download/install). An alternative Windows-only client, which has the advantage of supporting multiple sites, is the excellent MOS Authenticator.
Regardless of your platform choice, be it mobile or desktop, Mac or Windows, the basic premise of how a 2FA client is the same. More details in the next section.
Configuring Your 2FA Client
So you’ve decided how and where you want to run your 2FA client? OK, here’s a quick tutorial on how to configure it – as mentioned above, the basic setup of a 2FA client is the same for all variants, in this example I’ll use MOS Authenticator to set up 2FA on BTCJam.com.
- Navigate to the settings option in your online account
- Locate the security settings in your online account
- Click on the button/link to enable 2FA – your site should generate a QR code and/or the secret key required to set up 2FA
- Open your 2FA client (MOS Authenticator pictured) and select/click the option to add a new site
- Give the site a name and copy/paste the secret key from the site you want to protect into your 2FA client
- Click on “Add” or similar to save your settings. Your 2FA client will begin generating codes which change every 30 seconds or so. It is important that the clock on your device is correct or you may get “token failure” errors from your site
- Double click or copy the generated code from your 2FA client to the clipboard
- Paste the code into the site you want to enable 2FA on then click on “OK” or “Verify”
- The site will check the code is valid and tell you the outcome
- Configure your 2FA-specific options. Remember, the purpose of 2FA is to prevent a hacker from causing you issues if your account is compromised, so whilst it may seem inconvenient entering a code for certain transactions, it might just save you a headache in the future
And that’s it. In practice, it takes about 2 minutes to set up 2FA.