Enlarge image
Only if the key has been given is allowed through
Photo: c't
Even the best password has a decisive disadvantage: If someone with sinister intentions guesses it or steals it, he can spy out sensitive data or harm his victims directly, for example financially or socially.
With a two-factor authentication (2FA) you make such intrusions much more difficult for cyber criminals, because in addition to the password, this access to a second channel must be given.
A simple and inexpensive way is a dynamically generated, time-limited one-time password - a so-called TOTP (Time-based One-Time Password).
Ideally, this is generated on a separate channel, for example by software that works on a second device that is independent of the first.
But even if both channels are on the same device, for example a smartphone, an attacker at least cannot get to the target without access to this device.
The best-known example of this approach is the TAN (transaction number) in online banking: With the help of a smartphone app or a dedicated device, sometimes in conjunction with a chip card, you have to secure transfers or logins by entering a number code.
You can use the same principle to better protect e-mail accounts, cloud access, social media, some online retailers and many other services from unauthorized access.
This is particularly worthwhile with your e-mail accounts: if you crack them, in the worst case scenario you can use your passwords
Reset r in online shops, messengers and social media, lock you out and do a lot of mischief.
To set up a TOTP-based 2FA, so-called authenticators are available.
This is available as an app for the smartphone or as dedicated hardware.
The SMS that is sometimes offered as a TOTP channel is also better than no 2FA at all.
However, their level of protection is lower due to the lack of encryption and the relatively easy access for criminals to second SIM cards (SIM swapping).
Alternatively, you can also use crypto sticks like the Yubikeys to generate the TOTP codes.
This has the advantage that the secrets used are stored on a protected chip.
They cannot be read out there and therefore cannot be duplicated.
Set up and use
A software-based TOTP is created from two parts. When setting up the 2FA, the app or hardware first receives a secret (shared secret key) from the service's server, which only these two parties know. In order to generate the TOTP from this, the current Unix time is also used, i.e. the time in seconds that has elapsed since January 1, 1970 at 0:00 UTC. From this, both sides calculate a cryptographic hash value that is valid for 30 seconds, from which the TOTP is distilled. This is usually a six-digit number code.
There are various free authenticator apps that all do this job.
Which one you take is a matter of personal preference.
The best known are the apps from Google (iOS / Android) and Microsoft (Authenticator) as well as Authy from Twilio.
There are open source solutions such as andOTP (GitHub) and Free OTP (GitHub);
KeePass users can use the included TOTP module.
It is important that your smartphone can only be unlocked with a PIN, password or biometrically if the device ever falls into the wrong hands - even if some apps also offer their own PIN and biometric protection.
This is especially true when it comes to a password manager on the smartphone that spits out passwords and the corresponding TOTP codes.
Alternatively, there is hardware such as the Reiner SCT Authenticator (from 32 euros).
Here, too, the selection is not limited to one manufacturer.
The advantage of the self-sufficient hardware is that, unlike a smartphone, it cannot be accessed from the Internet and therefore cannot be attacked.
Make sure to protect the device with a PIN.
more on the subject
Cybersecurity: IT pros are calling for a rethink of password rules
You can set up a 2FA via TOTP, for example, with Google, Samsung and Microsoft, email services such as Posteo and GMX, social networks such as Twitter and Facebook, payment services and shops such as PayPal and Amazon, various web hosts and many crypto exchanges.
A well-sorted overview can be found on the English-language page 2FA Directory;
there is a check mark next to »software token« for authenticator support.
Setting up 2FA for the various services is simple and works relatively similar.
You can often find this in the settings under »Security«, »Login« or »Password«.
During the activation process, the service shows you a QR code or a character string for key exchange.
In the app or on the device, click on »Add« and you can now scan in the QR code or type in the character string.
Then enter the first TOTP to check - done.
From now on, the TOTP will be displayed as a six-digit number code in the list of the app or gadget.
This changes every 30 seconds, although it is usually valid for a few seconds longer.
If you now want to log into the respective service, you must now enter the currently valid code in addition to the password.
Recovery and security
Normally you can only use one device per service for the TOTP. If this is a smartphone, you are limited to one app. This also means: If the device is stolen, lost or the app can no longer be started, the second factor is gone and it is often difficult to restore your access. The service usually explains how to do this during the 2FA activation process; It is best to take notes and bring stored data such as telephone numbers, postal and e-mail addresses up to date for reactivation.
However, you can save yourself a lot of time and effort if you scan the QR code with several devices when setting up or save the start value, the so-called seed.
This is the secret shared by the service's authenticator and server.
The seed is in the QR code for the 2FA facility.
Many (but not all) services also display it as a "backup code", "secret" and the like string of characters.
You should copy the seed in the old-fashioned way or print it out and keep it safe.
We do not recommend saving it on your computer or in the cloud, because if the worst comes to the worst, a hacker can access it there.
Compromise on comfort
If you are ready to trade off between maximum security and a little more convenience, you can make your life easier - and still have a higher level of protection than with a password alone.
Most apps offer functions to move the authenticator, including the seeds of the stored services, to a new device or to transfer it to another device.
Authy contains a synchronization function especially for this purpose, the Google Authenticator generates a QR code for forwarding that you can scan with the same app on another device.
Use these functions with care.
The more devices you activate for 2FA, the more potential targets attackers have.
more on the subject
Internet security: W3cks3ln Si3! Hr Pa§§w0rt! By Frank Patalong
You can also often increase the convenience when entering the TOTP: After a one-time 2FA, the device used when logging in and the apps and browser on it can be excluded from the 2FA. A trustworthy token is deposited for this purpose. You can usually select this option in the login mask. Despite the gain in convenience, an attacker who wants to access one of your user accounts via a third-party device must still carry out a 2FA. Devices on which you activate such a convenience function should, however, be well protected against unauthorized access. It is best to activate any alarm functions for access attempts from unknown devices. Then, for example, you will receive a warning e-mail to your second e-mail account with another service. This is possible with Google and GMX, among others.
You can also easily split your user accounts between two or more authenticators.
For example, accounts used for business and private purposes can be separated or particularly sensitive accesses uncompromisingly protected, while you make certain concessions to the convenience of others.
Conclusion
No matter how strong your passwords are, every 2FA basically offers more protection than a password alone.
App-based authenticator solutions are even free and easy to implement for many online services.
Comfort does not have to suffer significantly if you can make minor compromises in terms of security and take good care of the devices involved.