2FA and Managing "Security" Questions

An image of some scattered keyboard keys and a padlock to suggest computer security

Photo by FLY:D on Unsplash


In the previous post in this series, I talked about using a password manager to create and manage strong passwords so that you can protect yourself and your online accounts. Lack of space meant that a couple of related, but important, topics got cut, which we’ll fix today. If you have not read the previous article then I suggest going back to the post here.

2 Factor Authentication (2FA)

The Address bar in a web browser with the HTTPS padlock highlighted

Misaochan, CC BY-SA 4.0, via Wikimedia Commons

As well as a username and a password some sites can request a “second factor” (basically a second password, referred to as a 2FA Code in the screenshot above ), and this factor is linked to a hardware device you control. These factors are often delivered on your mobile phone via an authenticator app and then need to be entered during the sign on process. You can also get specialist 2FA hardware token devices, but we’ll assume you are using a mobile phone from now on.

The factors generated by a 2FA app are tied to the physical phone (something you have, rather than something you know), if you set up the same app for the same account on another phone the generated factors would be different (even if the phone uses the same phone number). i.e. The factors generated by the app are unique to your specific phone and not linked to the phone number. This makes an authenticator more secure than factors dilvered via SMS.

Because the factor is generated by an application, it can be regenerated after each use to create a new factor, sometimes called a “one time password” for obvious reasons. Even better, depending on the technology, you may see this referred to as Time-Based One-Time Password (TOPT) because the factors change every few seconds, not just after each use.

The authenticator app will requires a setup process to link your physical phone to each account. For example on the Google Authenticator app, used by a wide variety of services, a QR code can be used to link the account and device.

2FA is something you should enable and use on all your important accounts. Some services use a specific authentication app (for example my bank uses Symantec VIP) and many of my other accounts use the Google Authenticator app, or something similar.

I use 2FA not just with my financial accounts and shopping accounts, but also any accounts that could impact my work or reputation if they were cracked (email, developer accounts, social media etc). This means that in reality I will use 2FA wherever it’s offered and I have five different authentication applications on my phone, not including SMS. I think the extra effort is worth it.

The problem with using a 2FA application, tied to the hardware on your phone, is that if you lose your phone you can’t login to the service. For this reason most sites offer to generate backup codes at setup time. These are a list of one time codes that are created when you set up 2FA. You must save them immediately as they cannot be displayed again. A code can only be used once, so if you use one then delete it from your list. If you lose, or exhaust, the list then there is generally a way to generate a new list, as long as you can still connect to the account.

Your password manager is a good place to store and track your one time backup codes However the auto fill features in most popular browsers cannot store backup codes, and this is one of the reasons to consider using a third party password manager.

Some services only offer one time codes delivered via SMS, this is not ideal but may be the only option.

SMS based 2FA is problematic, but if there is no app based 2FA available then it’s sometimes required. This article explains why you should not use SMS if possible. If you do have any SMS 2FA accounts set up, then investigate to see if they now offer an alternative. I recently discovered that PayPal and LinkedIn now offer proper 2FA application support, a new feature since I enabled SMS 2FA on those accounts.

In particular using SMS to provide password reset is a very bad idea, as this article from The Guardian explains.

“Security Questions”

Some sites ask you to set up a set of answers to some list of questions (e.g. Where did you go to high school, what was the name of your 1st pet, what is your mother’s maiden name,…).

These are pretty useless because:

  • You may only prompted every few years to help recover your password and it can be hard to remember the exact text you entered.
  • Even worse is that there is a common set of questions sites ask and the answers are often exposed in a data breach (compared to passwords which are protected by hashes in the server database). Once your answers on one site are exposed it possible they will work on another
  • It’s often possible to socially engineer the answers.

So the trick is treat the answers in the same way as you would a password and provide a random unique string to each question. You will of course need to store these questions and answers in a secure vault for later retrieval if needed. Again the auto-fill option in your browser may not be able to support this, and can’t help you to generate a unique string. Examine the documentation for your chosen password manager to see if supports this feature, e.g. see this example from the 1Password documentation, or this one from LastPass.

Other Resources

About the writer

Alec has been in IT for over 40 years and using the Internet since the 1990’s. He has an active online presence and uses Google, Mastodon, and LinkedIn (amongst many others). You can find more about him by Googling “alecthegeek”, or looking at his website (which does have a padlock symbol). He does not claim to be a security expert.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

comments powered by Disqus