Sluts for Security: Two Step Log In 101

Ever poked around in the settings of an app or a website, saw the words multi-factor authentication, two-step log in or two-factor authentication then stopped paying attention because it sounds like boring nerd stuff? Well you're right, it is boring nerd stuff, but it's important boring nerd stuff.

Two Step Log In, or Multi Factor Authentication, makes it harder for nasty little hackers to take over your social media, email, internet banking or other online accounts by having an additional "factor" (multi-factor, get it?!) along with your password to log in to something. It's like asking for a secret handshake along with the code word for entry to a private club. You need both the code word and the handshake to get in, only having one isn't enough for the door to open.

There's a few different ways to get that extra layer of authentication on top of your password, some better than others.

SMS - ever had to wait for an SMS with a code? That's two step log in! Due to the ease of phone number hijacking it's not recommended to use SMS based two step log in. If it’s all you’ve got the option of, at least use a different number for two step log in than you advertise publicly or share with others and make sure your password is super strong, ideally generated and stored with a password manager like 1Password or Bitwarden.

Email - when you're asked to open a link in an email, or enter a code sent to you via email to log in after providing your password, that email is your extra piece of authentication. It’s becoming popular to sign up and log in to for services with only an email and not even have a password for it at all. This isn’t technically two step log in, but due to the fact someone would need access to your email to log in, provides some level of extra security. This makes it even more important to have a strong and unique password for your email that isn’t used anywhere else.

Smartphone apps - some companies (i.e: Google & Microsoft) can send a push notification directly to an app on your smartphone when an attempt is made to log-in to your account that you need to accept if you want to log in. If this notification appears but you aren't trying to log in, you know something’s up.

Time-Based One-Time Passcodes (TOTP) - rolling multi-digit codes are kept in a dedicated smartphone app like Authy or Google Authenticator and change every 15-30 seconds. When you try to log in, you'll be asked for this code before access is granted. No code, no access. This is good.

Physical Security Tokens - these little plastic USB flash drive looking things are the gold standard for securing your account. They're required to be connected to the device you're using to log in with. If the physical token isn’t present, you aren't getting in. Doesn't get much more secure than that and Tryst is one of the few platforms to support it!

Biometrics - a growing amount of services (like Tryst) let you use the fingerprint or face scanners on your smartphone or computer as a physical security token, no extra purchase or equipment necessary.

Keeping Your Two Step Log In Safe

Unlike a password, if you forget or lose your Two Step Log In item you are up shit creek without a paddle. The whole point of two step log in is that you can't just say "oops I lost it!" to a customer support rep and log in again, as then there’s nothing stopping an impersonator saying they lost it and defeating the purpose of a two step log in. This makes backing up your codes a crucial task.

When you set up two step log in there's often the option to print or save recovery codes. These codes are used to verify you should you ever need to reset your account. You can either print them out and keep them in a safe place, or if you're a cool kid that uses a password manager, keep those codes nice and secure in there. 1Password or Bitwarden are great choices if you aren’t on the password manager train.

A common rookie mistake is getting rid of an old smartphone before moving your TOTP details to the new device. Apps like Authy or Microsoft Authenticator have a cloud backup feature. This allows you to simply install the app on a new phone and restore the codes off the cloud after entering a password. Obviously, you want to keep this password safe and use a damn good one, ideally via a password manager because if you forget it you're in a world of pain.

The ultimate secure setup is using a physical security token in combination with a TOTP app, like Yubico Authenticator. This way you don't need to rely on the cloud to store the "secret" that generates the TOTP codes, so unlike Authy there's no password to remember. If you lose access to your smartphone or computer, just use your physical token to set it up again on a new device.

Physical Security Tokens Are Awesome

Of all the ways to get some two step log in action in your life, physical security tokens have the biggest nerd tick of approval. Unlike SMS, someone can't steal your token by calling up the phone company and pretending to be you. Unlike a one time passcode, you can't be tricked into handing over the token by pretending to be someone else.

A physical token has to be taken from you and whoever does that also needs to know your password for the token to be useful. The chances of both these events happening are not impossible, but of all the technology solutions available, physical security tokens are by far the best tool available for protecting your online presence.

Yubico is the most popular supplier of tokens, with their most basic starting at USD$25 each. Whichever token you choose, get more than one! If you lose or break it, you're cooked, so having one or two spare tokens kept somewhere safe for when that inevitably happens is strongly recommended. This easy way of making a backup and simple restore process (plug in the spare one), is another plus for using a physical security token above other two step log in options.

How to Enable Two Step Log In

Now that you know two step log in is good and cool and you want it because it'll keep you safe on the internet, turn it on! Below is a list of common online accounts that support two step log in. If you’re yet to enable two step log in or are unsure if two step log in is enabled, now is the time to check it off your to-do list. Email is the one you want to double check you’ve got two step log in enabled for first as it’s often the launching point for further hacking attempts.

• Google: https://support.google.com/accounts/answer/185839
• Apple iCloud: https://support.apple.com/en-us/HT204915
• Microsoft: https://support.microsoft.com/en-us/account-billing/turning-two-step-verification-on-or-off-for-your-microsoft-account-b1a56fc2-caf3-a5a1-f7e3-4309e99987ca
• WhatsApp: https://faq.whatsapp.com/269945317385609/?locale=en_US
• Snapchat: https://support.snapchat.com/en-GB/article/find-an-authentication-app
• TikTok: https://www.makeuseof.com/tiktok-enable-two-step-verification/
• Twitter: https://help.twitter.com/en/managing-your-account/issues-with-login-authentication
• Facebook: https://www.facebook.com/help/148233965247823
• Instagram: https://help.instagram.com/566810106808145
• Protonmail: https://proton.me/support/two-factor-authentication-2fa
• OnlyFans: https://onlyfans.com/help/1/5/29
• Tryst.link: https://help.tryst.link/en-gb/26-multifactor-authentication-mfa/133-setting-up-mfa-on-my-account
• MyFreeCams: https://wiki.myfreecams.com/index.php?title=Instructions_and_Features&mobileaction=toggle_view_desktop#Two-Factor_Authentication_.282FA.29