Adds more details to the 2FA section

This commit is contained in:
Alicia Sykes 2020-01-01 21:37:26 +00:00 committed by GitHub
parent d97dcba38c
commit 0e1574b970
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -22,9 +22,15 @@ Use strong passwords, which can't be easily guessed or cracked. Length is more i
This is a more secure method of logging in, where you supply not just your password, but also an additional code usually from a device that only you have access to. This is a more secure method of logging in, where you supply not just your password, but also an additional code usually from a device that only you have access to.
2FA Apps: [Authy](https://authy.com/) (with encrypted sync), [Google Authenticator](https://support.google.com/accounts/answer/1066447), [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator), [FreeOTP](https://freeotp.github.io) (open souce), [LastPassAuthenticator](https://lastpass.com/auth/) (synced with your LastPass), [Duo](https://duo.com/product/multi-factor-authentication-mfa/duo-mobile-app) and [Authenticator Plus](https://www.authenticatorplus.com/).
**Security** | **Priority** | **Details and Hints** **Security** | **Priority** | **Details and Hints**
--- | --- | --- --- | --- | ---
**Use an authenticator** | Recommended | Use [Google Authenticator](https://support.google.com/accounts/answer/1066447) where sites offer 2FA. Alternative authenticators include: [Authy](https://authy.com), [FreeOTP](https://freeotp.github.io), [LastPassAuthenticator](https://lastpass.com/auth/) and [AuthenticatorPlus](https://www.authenticatorplus.com). SMS codes are ubiquitous, but easy to break so although better than nothing, not ideal. Another option is a hardware-based 2FA, such as [Yubico](https://www.yubico.com/security-keys-authentication/), although with limited compatibility and of course a physical cost. Check out [this list of apps/sites which provide the option of 2FA](https://twofactorauth.org/). **Enable 2FA on Security Critical Sites** | Recommended | In account settings, enable 2-factor authentication. Ideally do this for all your accounts, but at a minimim for all security-scritical logins, (including your password manager, emails, finance and social sites). [List of sites that support 2FA](https://twofactorauth.org/).
**Keep backup codes safe** | Recommended | When you enable 2FA, you'll be given a few one-time codes to download, in case you ever lose access to your authenticator app or key. It's important to keep these safe, either encrypt them and store on a USB, or print them on paper and store them somewhere secure like a locked safe. Delete them from your computer once you've made a backup, incase your PC is compromised.
**Don't use SMS to recieve OTPs** | Optional | Although SMS 2FA is certenly better than nothing, but there are many weaknesses in this system, ( such as SIM-swapping) ([read more](https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin)), therefore avoid enabling SMS OTPs, even as backups.
**Don't use your Password Manager to store 2FA tokens** | Optional | One of the quickest approachs is to use the same system that stores your passwords, to also generate and fill OTP tokens, both LastPass and 1Password have this functionality. However if a malicious actor is able to gain access to this, they will have both your passwords, and your 2FA tokens, for all your online accounts. Instead use a seperate authenticator from your password manager.
**Consider a hardware 2FA Key** | Optional | A physical 2FA key generates an OTP when inserted. Have a look at [NitroKey](https://www.nitrokey.com/) (open source), [YubiKey](https://www.yubico.com/) or [Solo Key](https://amzn.to/2Fe5Icw). You can also use it as a secondary method (in case your phone is lost or damaged). If this is your backup 2FA method, it should be kept somewhere secure, such as a locked safe, or if you use as physical key as your primary 2FA method, then keep it on you at all times.
## Browser and Search ## Browser and Search