I am a reluctant adopter of two factor authentication. The main reason is that I believe that on balance, it’s going to inconvenience me way more than it will deter hackers. Up to this point I would not have considered any of my accounts to be worthwhile to hackers. I mean what’s a hacker going to do when he finally breaks into one of my maxed out credit card accounts? Pay the bill? In that case he’d be doing me a favor.
Two factor authentication means that the user needs not one but two electronic devices just to log into his or her account. The user will enter the username and password as normal. Then he needs to enter a six digit code provided by the Google authenticator app on a smart phone or tablet PC. The rationale is that a hacker would need access to both the log in credentials and the smart phone in order to break into the user’s account. Since we tend to be very dependent on our handheld electronic devices, we would know very quickly if we lost one, and we would then know any account using two factor authentication was now in danger. At this point I’m still unclear as to what the owner of the lost phone would be able to do in order to regain access to his two factor accounts.
But even without losing the device, I can immediately see how two factor authentication inconveniences me. I would have to be tying up both my laptop and my tablet PC. This poses a problem as I sometimes will allow my children to play with an app on my tablet PC so I can have a few moments to deal with something on my computer. Oops, can’t do that if what I need to check up on is an account which has two factor authentication enabled. And what about if my tablet PC is sitting on the charger across the room? I’m going to have to get up from my seat, look at the tablet screen and then get back to my computer to enter the number before it changes. Is this really worth doing on every account which stores sensitive information but is hosted on a reasonably secure website?
Up until now I’ve relied on super strong passwords and changing them from time to time. There are a number of password generating sites, my favorite one being Password Generator. I go for all 128 characters using all the possible keyboard options, and I figure it will take years for someone’s computer to crack it. Since I change it every couple months, I figure as long as I don’t fall for some social engineering tactic and outright give away my password I’m probably OK. And I believe for most things two factor authentication is overkill.
The scene has changed for me since I got into Bitcoin. I now have several accounts which represent quite a lot of money–over a thousand dollars in fiat if I were able to trade the entire balance out. While overdrawn checking accounts and maxed out credit cards are probably unattractive to would-be Internet thieves, an account containing several thousand dollars worth of Bitcoin is a different story.
I recently decided that financial accounts holding more than one Bitcoin or equivalent are good candidates for the added security of two factor authentication, especially such accounts that I do not need to log into every day. If I’m only checking the account once or twice a week, then it’s not a big deal to just make sure I have my tablet PC with me when I log in. It’s worth the added peace of mind knowing that the hacker will be even more inconvenienced by the added log in requirement.
I logged into my Bitcoin Commodity Exchange account earlier today. As I do from time to time, I multiplied the amount of GHS I’ve accumulated by the going rate, and the result gives me an approximation of my account’s worth–if I were to sell all my GHS, that’s how many Bitcoin I could potentially walk away with. By that calculation my CEX account is worth several Bitcoins. I’m not going to post the exact amount, but it’s enough for me to say it would really not make my day if I were to one day log in and find that my account had been compromised and all the GHS sold off and the Bitcoins gone. So I decided it was time to take the plunge and protect this account with two factor authentication.
The first part is to install the Google authenticator app from the Google play store. It’s easy enough. You find the app, click the install button, give it the requested permissions and the tablet or smart phone does the rest. Then comes setting up the account which needs to be authenticated. There are two options. The first one is to scan the provided QR code. The second is to manually enter a rather long code consisting of capital letters and numbers. I thought it would be easier to scan the QR code so I selected that. But oh wait, I have to install a different app so I can read a QR code. Forget it; I went with the option to enter the code manually.
It’s not too difficult to enter the code, but it is important (as I found out later) to enter it accurately. I entered it and then hit the “enable two-factor authentication” button on my CEX profile. Before I clicked that button I took a screen shot of my code, because CEX informed me that once I enable two factor authentication that code disappears. If I were to lose my tablet PC, I would need that code to input to the replacement device, or for that matter, any additional devices I might want to use.
I had to enter the six digit number to activate two factor authentication, which is very smart–it prevents users from enabling something they don’t even have set up. It took a few tries but I finally got a number right. The next step was to confirm the decision by email. Then the moment of truth arrived as I tried to log in.
There are two ways to set up an account on the Google authenticator app. One is to have numbers generated on a timer, and the other is to have them generated on a counter. The numbers on a timer change every thirty seconds or so, while the numbers on a counter change only when the user tells them to change. Initially my timer-generated numbers did not work. So I set up another account for CEX using counter-generated numbers. None of those worked either.
I finally found the command to sync my app with Google’s servers so that the numbers I saw would be the same numbers the Google server was generating in real time. Once this was done, the timer-generated numbers worked fine.
But then I was stuck with two separate accounts for CEX. Google authenticator does not have an obvious way to delete an account that’s not needed. Being somewhat obsessive and perfectionistic about these things I decided to get a fresh start by uninstalling the app and then reinstalling it. After all I had the code saved so what more would I need?
I set up my CEX account again and this then I attempted to log in. My attempt to copy the number from my tablet was met with the invalid code error message. So I tried another number. Same result. Every number I tried gave me the same error message. Oh no! Two-factor authentication had now effectively locked me out of my own account. There’s another reason why it inconveniences the account owner more than any hackers. I would be willing to bet that more legitimate users have been locked out of their own accounts than hackers from other people’s accounts!
That’s about the time I started panicking. It was my two factor big time freak out moment. Did I mention that my Bitcoin Commodity Exchange account is worth several Bitcoins and that it kicks off a few hundredths of a Bitcoin several times a week? This is not the account I want to be locked out of. Why couldn’t I have tested this out first with a brand new (and empty) account, such as the one I recently set up on BitStamp?
I quickly fired off an email to CEX support and told them my plight. While waiting for a reply I kept trying to log in, with the same frustrating result.
Then it occurred to me that perhaps I had entered the code wrong. It wouldn’t be difficult to get just one character off. I had gotten interrupted by children when I was trying to enter it that second time. Google authenticator doesn’t allow me to go back and edit an account once I set it up, so there was no way to check to see if I’d entered the code correctly. I suppose that is part of why this is secure. It certainly wouldn’t do to have some malevolent person find my lost tablet and then copy the code over to their own device.
So I uninstalled the app, then reinstalled it again, and tried to set up my CEX account again. This time I very carefully double checked the code I’d entered. I’m pretty sure that my previous mistake was to input a 2 instead of a Z in one spot. Once I was satisfied that I’d entered the code accurately, I gave it a whirl. This time I was able to log in. I logged out and tried to log in again three more times. It worked every time. So yes, getting even just one character of the code wrong will mess things up for you. Whatever you do, when you do activate two factor authentication be sure to save your account code.
So I wrote a quick follow up letter to CEX support telling them the problem was solved. Within twenty minutes I got a reply from someone saying he was informing me that the problem was solved. It’s good to know that CEX support is so responsive, in case I really do need them down the road.
So I finally have one of my very important accounts now protected with two factor authentication. When I leave the house for my day job, not even my husband will be able to log in as I’m taking the tablet and its timer-generated numbers with me.
I considered setting up two factor authentication for a few of my other important accounts, but then decided I’d had enough of two factor authenticating for one day. I can pace myself. At least I now know it works, and I’ve conquered the learning curve. It should be much easier from here on out.