My phone was in need of a refresh recently, so I disabled two factor authentication across all of my accounts, wiped the phone, and reactivated two factor. For a single site, turning two factor on or off is simple. I was struck, though, by the wide variety of implementations as I reactivated my accounts. Anyone dealing with information they want to keep private or confidential should use two factor where available. But I wonder if the variations make the process more daunting or confusing.
A good starting point has always been Two Factor Auth, a list of sites and how they’re implementing it. I’ve already touched on the software you’d need for a mobile device or Windows, and how to set up a single account. I’m not going to go back over that ground. This is a bit more in the crevices.
To be fair, most of the processes followed these basic steps:
- display a QR code
- once the code is scanned by the authenticator app, start showing 6 digit codes in the app
- test the 6 digit code before completing the process
Sites like Paypal that still use text messaging for second factor are different – and I dislike using texting for, well, anything important – and skip most of these steps except to confirm a phone number.
Just One App, Thanks
My phone is my second factor. I prefer to use an authenticator app – like Google‘s or Microsoft’s Azure or Microsoft Authenticator (which appear to have merged) – so the codes are generated on my phone. Google and Microsoft will walk you through the steps of getting the app. Other sites I use just assume you’re using one and go from there.
I was a bit irritated by the Microsoft process. Frankly, I think Google does a better job of making sure you can find your security settings, and I like that they prompt security reviews every couple of months. When I access my Office 365 account, the Security tab does not show two factor authentication. You’ve got to go to a generic link that appears on that the Security page. I’m also a little worried that when I access my account now, I’m not prompted for a second factor. This can happen sometimes if you’ve told a service to trust the device you’re using, but I don’t ever do that. If you create a trusted device, you’re no longer using two factor on that device. It always struck me as defeating the purpose although I understand how it reduces the friction.
Then Microsoft shows you this screen:
Out of the best intentions, Microsoft is trying to funnel you to the right version of the Microsoft Authenticator. But if you have your own authenticator already, their process requires you to complete their download to continue. There’s no reason to run two authenticator apps and you certainly don’t want to have a new one for each account. Since I had already grabbed the Google authenticator, I backtracked, clicked Other, and skipped over the authenticator app installation.
The additional challenge comes when you have committed to all of a company’s software, but they haven’t committed fully to two factor authentication. Microsoft, again. While you can set up two factor for Office 365, and One Drive, it won’t work with certain services or apps without an additional code.
I was surprised how often this seemed to be a problem with email apps on Android, and not just with Microsoft. Some don’t appear to support any authentication outside username and password . Others will need so-called app passwords, different from your email password, in order to perform the necessary handshake behind the scenes. I think this lack of uniformity within a productivity suite is a unnecessary hurdle.
About Backup Codes
This is an important part of two factor: what happens if you lose your factor? Phone drops in the toilet, is stolen, whatever? Your 2FA becomes sweet FA. As a baseline, these codes should not live (solely) on your phone.
But they come in a variety of shapes and sizes. Google creates a text file for you to download and store on your computer. Or you could print it off – that’s what Microsoft suggests. Same with a third site: just a code on a web page. I ended up taking a screenshot with Snip and storing that.
Now I’ll stitch all of these files together.
What about your own stuff? This is a huge area but one place I’d think lawyers would want to use two factor is on their web sites. Otherwise, people you don’t want to have access may change your site. WordPress offers two factor for its hosted service, but if you run your own site, you can add two factor to your own WordPress with a plugin. Or for your Joomla site. Or whatever, there is a lot of attention being paid two factor and so you should see if your on-premises software supports it.
Here’s what I think would help:
- Block removal of an authenticator app. If someone wipes their phone or deletes that app before disabling two factor, that’s a real hassle. No, really, I didn’t have this problem, but you can just imagine it. It even makes me a little iffy on the whole two factor set up
- Give an adopter the choice to use your authenticator or not. There’s no need to assume – Microsoft – that you’re the only site people will use an authenticator on
- Find a better way to deliver backup codes. For example, make it easier to cut and paste or download as an Excel or comma-separated values file so the person can quickly import it into a spreadsheet (which can itself be password protected, so as not to create a duplicate second factor).
I’m still surprised that two factor isn’t universal on critical sites. There are even some lawyer practice management cloud companies that don’t offer it.
It may be that we’re finally at that point where two factor is a must have for storage of client confidential information by legal professionals, or on court e-filing sites, etc. Lawyers and paralegals will just need to understand that there’s more than just the sign up process and that it’s a life-of-the-online-account commitment.