Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Multi-factor authentication

Multi-factor authentication ensures that if your username/passwords are ever compromised, an attacker will not be able to authenticate as you, missing something else – typically, "something you have".

Here are the "multiple factors" we will be using:

  1. Username
  2. Password: "something you know"
  3. Hardware security key: "something you have"

You MUST enable multi-factor authentication for all your accounts on all services. For this to be effective, you MUST keep factors separate from each other. This means that you MUST NOT store your second factor in your password manager. Instead, use hardware security keys.

Which second factor

Passkeys

The modern and most secure way to add a second factor to your account is through passkeys. They provide good UX and are resistant to phishing.

If a service allows you to use passkeys as a second factor, you MUST prefer it to any other method. Setting things up depend on each service, for instance:

  1. Google
  2. GitHub

When authenticating to a service, you will be asked for a username and password, then prompted to insert your security key, insert its FIDO PIN, and then touch it to confirm your presence.

Some services will also allow "passwordless" login, where the security key is enough to authenticate.

Time-based one-time password

If a service does not support passkeys (yet), they will use TOTPs as an alternative.

Please see here for how to setup TOTPs for your Yubikeys.

When authenticating to a service, you will be asked for your TOTP for that account. Use the Yubico Authenticator to get it (instructions here).

What about recovery codes?

When setting up multi-factor authentication, some services will prompt you to store some recovery codes to use in case you lose your hardware security key. While it might be tempting to go on and store them in your password manager, you MUST NOT do that, as it would defeat the purpose of the second factor.

Instead, either:

  1. register multiple hardware second factors (so that you cannot lock yourself out) and destroy the recovery codes;
  2. print out the recovery codes as store them in a safe.

What about my phone number?

SMS-based two-factor authentication is insecure and MUST NOT be used; instead, rely on hardware devices. SIMs can be unfortunately swapped. When that happens, the attacker will control second factor.

If you need to use a service that will only allow phone number 2FA, reach out!