by Dave Moore, CISSP, 09/12/2021
Want to learn how to stay out of trouble on the Internet? Wow, have I got a deal for you. Come take the new version of my free, one night only class on computer and Internet safety, “Fight the Internet Bad Guys and Win,” Wednesday, September 29, 2021, 6:30 p.m., at the Central Location of the Norman Public Library. For ages 12 and up. Reserve your seat by calling the library at (405) 701-2600, or register online at pioneer.libnet.info/event/5524409. Sponsored by McClain Bank, The Norman Transcript, Josh Nelson Allstate Insurance and the Pioneer Library System.
In last week’s column, we looked at using online accounts, such as email, banking, Amazon and other e-commerce services. Typically, we have signed in with usernames and passwords, a method that has served us for years. Unfortunately, those days are long gone; we need more in the fight to stay safe on the Internet. Usernames and passwords are no longer enough. Enter two-factor authentication (2FA) and multi-factor authentication (MFA).
The old username/password model only uses one “factor,” that being the password. In these days of rampant cybercrime, 2FA and MFA use an additional “factor” to keep the bad guys out, increasing your online protection dramatically.
But, like everything related to computers, it’s time for an update. Using a code texted to your phone as an additional “factor” is no longer considered secure; the Internet bad guys have figured out how to hack them. Things are moving towards using authenticator apps like Authy, or “secure tokens” like YubiKey. This week, we’ll look at using Authy.
Invented by business communications company Twilio, Authy is my preferred choice for an authenticator app, combining ease of use with enhanced security. The Authy website (www.authy.com) has very helpful guides on how to use it with pretty much any online service you can think of. I’ll use Amazon as an example.
First, you install Authy. I do my logging in to sites like Amazon on regular computers, PCs and iMacs, never on a phone. I will, however, use the phone as the authentication generator device, and it will show me the code that Authy makes that allows me to log in to Amazon. So, I installed Authy on my phone. I have an Android phone, so I went to the Google Play store and installed Authy from there. If you have an iPhone, visit the Apple Store and get Authy.
After it’s installed, Authy will want your phone number, and they will send you a code. Then, you’re ready for the next part.
Sign in to Amazon on your computer. Go to Account settings, and Two-Step Verification settings (Amazon calls it 2SV). First, clear any old 2SV settings; I had to remove my old text message-based settings. Click Disable, then check the box next to “Also clear my Two-Step Verification settings.” It sounds a little scary, but that’s how the process works. Then, re-enable two-step verification, but this time, select Authenticator App as your preferred method, instead of phone text.
Next, Amazon will display a QR code (those weird squares with the tiny oddball blocks in them). Open the Authy app on your phone. Select “Add a new account,” and scan the QR code with your phones camera; grant access, if asked. Invent a Secure Backup password when Authy asks you to. This is your Authy password; it needs to be long and strong. Write it down and keep it in a secure location. Don’t ever, ever lose it.
Tell Authy your phone number when prompted. Pay attention to the notices on both the phone and the computer. Eventually Amazon will give the go-ahead to start using Authy as your 2FA method. The process is actually easier than it sounds.
Now, when you sign in to Amazon on your laptop, or any computer, for that matter, the Authy app on your phone will be told by Amazon to generate a code which the phone will display. You enter the code on the Amazon login, and you are signed it. Voila.
Next week: how to use the “secure token” called YubiKey for your 2FA/MFA login chores.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org