Once you’ve begun to manage passwords, you will also want to take advantage of something known as Two-Factor Authentication (also known as 2FA, 2-Step Verification, HMAC-based One-time Password: HOTP, Multi-Factor Authentication: MFA, One Time Password: OTP, SecurID, Time-based One-Time Password: TOTP, Universal 2nd Factor: U2F, Yubikey, etc.) Rather than just a single password that can be guessed or stolen, Two-Factor Authentication requires two pieces (something you know, and something you have). Today, most of the websites you already know and love already offer some form of Two-Factor Authentication, but it’s not always obvious or easy to get it setup. However, this feature is critical to helping ensure the continued security of your accounts. Always try to look to see if a service you use has a form of Two-Factor Authentication available. Below are a set of links that should cover most services and give you an idea of how to set each of them up.
You should use DUO Security and Krypton/OTP/U2F/Yubikey as much as possible when available. Otherwise, use the Authy App in place of “Google Authenticator” on any website. I recommend it so that your Two-Factor codes are backed up online in case of phone loss/theft.
While SMS (short message service / text messaging) is generally offered as a Two-Factor Authentication method, it is recommend to avoid use if at all possible: “SMS-based 2FA is better than no 2FA at all, but only minimally so.”
In some cases, you may need to enable SMS based Two-Factor Authentication before you can enable other options and disable/remove SMS.
Personal Security Stack: Layer 2
- Super modern and secure way to two-factor authenticate without codes.
- Lots of Integration: LastPass, WordPress, SSH, etc.
- Create an account at duo.com
- Generate and save the credentials into your Offline Password Manager.
- Use the Documentation to integrate as much as possible.
- You should always choose a DUO Integration or Krypton/OTP/U2F/Yubikey above all other options.
- Authy is a recommended for any Google Authenticator codes.
- Strongest form of two-factor that relies on a physical security key (or your Phone if using Krypton)
- Enable on any websites that support it:
- Best primary option, and allows you to use Google Authenticator
- Better security than SMS.
- Full compatibility with any Google Authenticator codes.
- Cloud Backup & Sync of Authenticator codes.
- Allows you to still access and recover your Authenticator codes in case of loss/theft and/or phone change.
- Signup at authy.com
- Generate and save the Authy credentials into your Offline Password Manager.
- Create an Authy Backups Password, and save it to your Offline Password Manager.
- Use turnon2fa.com & twofactorauth.org to enable Two Factor Authentication on as many websites as you can! Use Authy in place of Google Authenticator when being asked to scan a code.
- SMS-based 2FA is better than no 2FA at all, but only minimally so.
Two-factor List Powered by Link Library