As shelter-in-place continues into its second month this week and newly remote workers must protect themselves against the security threats posed by remote work and scammers taking advantage of COVID-19 uncertainty, keeping accounts secure is as important as ever.
Last week, we brought you our tips on picking a strong password, and ended by saying that ultimately, depending on a password alone is a losing proposition. TOTP (timed one-time password) and U2F (universal two-factor) are two forms of two-factor authentication that can help to protect your account from security risks when a password doesn’t suffice.
But what’s two-factor authentication and why is it better than just a password?
At this point, we’re all familiar with logging in to an account online with a password, whether it’s email, social media, or your bank’s online portal. The reason is obvious. If someone who wanted access to your personal data, or in the case of a registrar’s online portal, your domains, they would only need to obtain your username or even just your email address in order to steal your domains or personal data. When you enter your password, you authenticate yourself, which is just another way of saying that you prove your identity. A password is one “factor”.
A password provides security because it’s based on something that you and you alone know. A second factor adds another type of information that proves you are you: either something you have or something you are.
This is actually not such a new-fangled idea. When you go to an ATM to access your bank account, not only do you need your ATM card (something you have, the first factor), but you also need your PIN (something you know, the second factor). That way, if someone has your card, but not your PIN—or if they have you PIN but not your card—they can’t steal your money. Someone would have to have both things to get access to your bank account.
Online, one way to augment an account password with a second form or factor of proving who you are is using a password that only works once. When you log in with your username and password, before you can proceed you’ll have to enter an additional password or code. The simplest way this is done is by sending the code or password to you by email or by text message, proving that you either have access to your email address or to your phone.
But of course these messages could potentially be intercepted and phone numbers and email addresses can be compromised. Another, more advanced option is a time-based one-time password (or TOTP). This uses an algorithm that generates a secret code, called a seed, that in turn is used to generate a new password every however-many seconds, based on the current time. This ensures a unique password every time you log in to your account.
This is the first two-factor authentication option we offered at Gandi. See more about how to use time-based, one-time password (TOTP) two-factor authentication with your Gandi account.
One-time passwords do have one flaw, though, which is they are not immune to phishing or man-in-the-middle attacks. Phishing is when a fake website looks enough like the real thing to trick you into giving them your username, your password, and your one-time password. A man-in-the-middle attack is similar, though less common. Think of it like someone wiretapping you. You aren’t aware of it, but someone is listening in. Even with a time-based one-time password, it’s possible, if unlikely, for someone listening in or a fake site to get your password when you are entering it—or think you’re entering it—where it’s supposed to be.
The solution to this is to use public-key encryption—which is the same kind of encryption used by websites with https—to make sure that the right website and the right password are being used with nobody in between. This is called universal two-factor authentication or U2F.
An added benefit of U2F is the use of a hardware USB key for the whole process. The key plugs into a USB port like any other USB device and communicates automatically with your browser to authenticate the connection to the website you’re trying to log in. It’s like having a physical house key (you can even put it on your keyring), so not only is it more secure, it’s also easier. There’s no typing involved (so no typos), and you don’t have to worry about being locked out of your account if your phone falls into a fish tank.
U2F is on the cutting edge of security. If you want to learn how to set this up on your Gandi account, check out our post here.