Home-Windows-The two-factor password does not come. Multi-factor (two-factor) authentication

The two-factor password does not come. Multi-factor (two-factor) authentication

User. Moreover we're talking about not only about your account, saved contacts and messages, but also about personal documents and files. The highest level of data protection is guaranteed by Apple's two-factor authentication, when to access personal data you need to enter two special numeric codes in a row.

How does this work

Main feature new system Apple's security feature ensures that only you can sign in to your device, even if your password is known to others. With two-step verification, you can only sign in to your account from trusted iPhone, iPad, or Mac devices. In this case, two-factor authentication will require you to sequentially enter two types of passwords: a regular one and a six-digit verification code, which will automatically be displayed on the verified gadget.

For example, you have a Mac laptop and want to log into your account on your recently purchased iPad tablet. To do this, you first enter your username and password, and then a verification code that automatically appears on the screen of your laptop.

After this, Apple's two-factor authentication will “remember” your device and provide access to personal data without additional check. You can also make the browser of any PC trusted by setting this option when logging into your account for the first time.

Trusted devices

You can only make a gadget trusted by Apple. Moreover, installed on it operating system must be at least iOS 9 for mobile devices and at least OS X El Capitan for laptops and personal computers. “Two-factor authentication” explains this by saying that only in this case Apple company can guarantee that the laptop you are using is yours.

Six-digit verification codes can be sent not only to trusted devices, but also to mobile device numbers. At the same time, the method of confirming the number and the gadget is no different. It is also worth remembering that in any case, no matter what method of obtaining verification code whatever you use, two-factor authentication will require you to know your own Apple ID ID. Learn it by heart, otherwise you risk not being able to access your account.

New level of protection

Each time you sign in to your user account, your location is sent to trusted devices. In cases where it coincides with your actual location, you can allow entry by pressing the highlighted button.

If two-factor authentication prompts you to allow login on another device, although at the moment The device location does not match yours, then you should prohibit it this action. This indicates unauthorized access to your gadget, and can also serve as a signal about the location of the attacker who stole your phone.

Disabling two-factor protection

It is strongly recommended not to perform any manipulations with the device that could disable two-factor Apple authentication, this will reduce the security of your gadget. However, in some cases it is simply not required. For example, you constantly use both a laptop and a smartphone. There is no need to confirm your identity and, moreover, the procedure is very tiring.

There are two ways to disable Apple's two-factor authentication. In the first case, you need to log into your account, select the “Edit” menu and select the appropriate option in the “Security” menu item. By confirming your date of birth and answering security questions, you will disable two-factor protection.

Disable email authentication

If you discover that two-step protection is activated on your device without your knowledge, you can disable it remotely using the email you provided at the time of registration, or backup address. How to disable two-factor authentication using email?

To do this, you need to open the letter that will come to your mailbox immediately after activation of the protection system. At the bottom of the message you will see the treasured “Turn off...” item. Click on it once and previous settings the protection of your personal data will be restored.

You must follow the link within two weeks of receiving the message, otherwise it will become invalid. Now you won't have to wonder how to disable two-factor authentication, and you know a few more Apple secrets.

The digital, electronic nature of cryptocurrencies makes them vulnerable to different ways compromise your security. Inherent technical difficulties have caused many to lose their savings in digital currency, often due to lack of adequate protection or stupidity. Therefore, it is extremely important to accept everything necessary measures for protection linked accounts: cryptocurrency exchanges, wallets for coins, 2p2 exchangers, etc., ideally even an account email, which is used for registrations. If you haven't heard of 2FA, it's best to install it after reading this article.

What is two-factor authentication or 2FA

2FA is a simple way to improve security by using an independent authentication channel. After entering your username and password during registration, the service will require confirmation via 2FA: entering a one-time password that is sent to your smartphone to complete the login process. This greatly improves security because an additional layer of verification is required to confirm actions. Also, a password from the 2FA service is required to perform actions, for example, transferring funds or voting.

There are two main ways to obtain a one-time password:

  • via sms,
  • through a special application.

Thus, using another method of confirming login and actions, you protect your account from hacking. Even if your account is hacked, or your password storage file is stolen, or if you don't use strong password due to forgetfulness, there is a chance to save the account.

Two-factor authentication via SMS

This method is considered not reliable enough:

  • there are relatively easy ways to spoof a phone number (and also intercept traffic), so that the code is sent to the attacker’s number,
  • not suitable for traveling when the phone is roaming/with a rearranged SIM card/for some reason does not pick up the network of another operator,
  • SMS messages may arrive late, and the time to enter the code may be limited.

Applications for two-factor authentication

The following services are verified:

  • Google Authenticator- the most popular, suitable for all applications and sites that protect an account using this method of user authorization.
  • Authy is Google's big competitor, main reason The choice of this application is support for multiple devices. If you lost your device with Google Authenticator and did not make any backups (more on this below), then there will be problems with your accounts; most of them will not be able to be logged in at all. Authy's feature of the same token on multiple devices is optional; you can disable it if you consider it risky. The program is also accessible from a computer.
  • Most high level protection for the token on a separate device, usually USB. These are paid flash drives from YubiKey companies. When used from a PC, you only need to press one button by inserting the device into the port, and from your phone it connects via NFC.

How to install two-factor authentication

It's not as difficult as it might seem. Let's take cex.io and Google Authenticator as an example. The instructions are suitable for most exchanges:


Let us repeat once again that for better security, confirmation through the authenticator application must be applied to all accounts, including mail.

Some exchanges require you to select a one-time password type to set up 2FA. There are two types:

HOTP - valid for an indefinite period of time,

TOTP - changes every 30 seconds. It is preferable because it is more secure, is generated by the Authenticator application every 30 seconds and requires synchronization between the smartphone and the server. The time can be customized.

What to do if you deleted the dual authentication application

In order not to permanently lose access to your account or not communicate with technical support for a long time, you need to save backup key. It is usually signed next to the QR code (like cex.io) or you can download it separate file. If there is no such signature, then you need to “extract” this information from the QR code yourself. To do this, you need to take a screenshot of the QR code and read the information from it (this will be the same text key that is usually indicated next to the code) with any other application for recognizing QR codes.

This file (code) must be stored in a safe place. Some encrypt and record on a standalone flash drive, others copy it onto a piece of paper. As a rule, the level of awareness depends on the amount of money that can be lost =) The data can be put in something unrelated to you cloud service(With secret mail), into a safe deposit box, to a trusted person or, say, bury a flash drive somewhere. It's better to use a combination of methods.

Otherwise, one way out of the situation is to communicate with technical support at the site where you lost access to your account. Knowing how busy the exchanges are and the high probability of fraud, it is better not to let the situation reach such an outcome.

Attention. Applications developed in Yandex require a one-time password - even correctly created application passwords will not work.

  1. Login using QR code
  2. Transfer of Yandex.Key
  3. Master password

Login to a Yandex service or application

You can enter a one-time password in any form of authorization on Yandex or in applications developed by Yandex.

Note.

You must enter the one-time password while it is displayed in the application. If there is too little time left before the update, just wait for the new password.

To receive a one-time password, launch Yandex.Key and enter the PIN code that you specified when setting up two-factor authentication. The application will start generating passwords every 30 seconds.

Yandex.Key does not check the PIN code you entered and generates one-time passwords, even if you entered your PIN code incorrectly. In this case, the created passwords also turn out to be incorrect and you will not be able to log in with them. To enter the correct PIN, just exit the application and launch it again.

Features of one-time passwords:

Login using QR code

Some services (for example, home page Yandex, Passport and Mail) allow you to log into Yandex by simply pointing the camera at the QR code. In this case, your mobile device must be connected to the Internet so that Yandex.Key can contact the authorization server.

    Click on the QR code icon in your browser.

    If there is no such icon in the login form, it means this service You can only log in using a password. In this case, you can log in using the QR code in your Passport and then proceed to the right service.

    Enter your PIN code in Yandex.Key and click Login using QR code.

    Point your device's camera at the QR code displayed in the browser.

Yandex.Key will recognize the QR code and send your login and one-time password to Yandex.Passport. If they pass the verification, you are automatically logged in to the browser. If the transmitted password is incorrect (for example, because you entered the PIN code incorrectly in Yandex.Key), the browser will display a standard message about the incorrect password.

Logging in with a Yandex account to a third-party application or website

Applications or sites that need access to your data on Yandex sometimes require you to enter a password to log into your account. In such cases, one-time passwords will not work - you need to create a separate application password for each such application.

Attention. Only one-time passwords work in Yandex applications and services. Even if you create an application password, for example, for Yandex.Disk, you will not be able to log in with it.

Transfer of Yandex.Key

You can transfer the generation of one-time passwords to another device, or configure Yandex.Key on several devices at the same time. To do this, open the Access Control page and click the button Replacing the device.

Several accounts in Yandex.Key

The same Yandex.Key can be used for several accounts with one-time passwords. To add another account to the application, when setting up one-time passwords in step 3, click the icon in the application. In addition, you can add password generation to Yandex.Key for other services that support such two-factor authentication. Instructions for the most popular services are provided on the page about creating verification codes not for Yandex.

To remove an account link to Yandex.Key, press and hold the corresponding portrait in the application until a cross appears to the right of it. When you click on the cross, the account linking to Yandex.Key will be deleted.

Attention. If you delete an account for which one-time passwords are enabled, you will not be able to obtain a one-time password to log into Yandex. In this case, it will be necessary to restore access.

Fingerprint instead of PIN code

A fingerprint can be used instead of a PIN code on the following devices:

    smartphones under Android control 6.0 and a fingerprint scanner;

    iPhone starting from model 5s;

    iPad starting from Air models 2.

Note.

On iOS smartphones and tablets, the fingerprint can be bypassed by entering the device password. To protect against this, enable a master password or change the password to a more complex one: open the Settings app and select Touch ID & Passcode.

To use enable fingerprint verification:

Master password

To further protect your one-time passwords, create a master password: → Master Password.

With a master password you can:

    make it so that instead of a fingerprint, you can only enter the Yandex.Key master password, and not the device lock code;

Backup copy of Yandex.Key data

You can create a backup copy of the Key data on the Yandex server so that you can restore it if you lose your phone or tablet with the application. The data of all accounts added to the Key at the time the copy was created is copied to the server. More than one backup copy cannot be created, each subsequent copy of the data is for specific number phone replaces the previous one.

To retrieve data from a backup, you need to:

    have access to the phone number that you specified when creating it;

    remember the password you set to encrypt the backup.

Attention. The backup copy contains only the logins and secrets necessary to generate one-time passwords. You must remember the PIN code that you set when you enabled one-time passwords on Yandex.

It is not yet possible to delete a backup copy from the Yandex server. It will be deleted automatically if you do not use it within a year after creation.

Creating a Backup

    Select an item Create a backup in the application settings.

    Enter the phone number to which the backup will be linked (for example, "380123456789") and click Next.

    Yandex will send a confirmation code to the entered phone number. Once you receive the code, enter it in the application.

    Create a password that will encrypt the backup copy of your data. This password cannot be recovered, so make sure you don't forget or lose it.

    Enter the password you created twice and click Finish. Yandex.Key will encrypt the backup copy, send it to the Yandex server and report it.

Restoring from a backup

    Select an item Restore from backup in the application settings.

    Enter the phone number you used when creating the backup (for example, "380123456789") and click Next.

    If for specified number a backup copy of the Key data has been found, Yandex will send a confirmation code to this phone number. Once you receive the code, enter it in the application.

    Make sure the date and time the backup was created, as well as the device name, matches the backup you want to use. Then click the Restore button.

    Enter the password you set when creating the backup. If you don't remember it, unfortunately, it will be impossible to decrypt the backup.

    Yandex.Key will decrypt the backup data and notify you that the data has been restored.

How one-time passwords depend on precise time

When generating one-time passwords, Yandex.Key takes into account current time and time zone set on the device. When an Internet connection is available, the Key is also prompted exact time from the server: if the time on the device is set incorrectly, the application will make an adjustment for this. But in some situations, even after correction and with the correct PIN code, the one-time password will be incorrect.

If you are sure that you are entering your PIN code and password correctly, but you cannot log in:

    Make sure your device is set to the correct time and time zone. After that, try logging in with a new one-time password.

    Connect your device to the Internet so that Yandex.Key can get the exact time on its own. Then restart the application and try entering a new one-time password.

If the problem is not resolved, please contact support using the form below.

Leave feedback about two-factor authentication

In these times of active development of exploits, Trojan horses and phishing threats, users should be concerned about the protection of their accounts in various services. It is necessary to change passwords regularly and use strong, difficult to guess passwords. However, even these measures may not be enough.

To enhance the security of your online accounts, you should use a second factor of authentication. Many Internet services that have already had the bitter experience of being hacked have introduced two-factor authentication (2FA) for their users.

There are three main authentication factors: something only you know (like a password), something only you have (like a hardware token or mobile phone) and any personal characteristics(such as a fingerprint or iris). Two-factor authentication means that any two of the three factors described above are used to log into your account.

The problem is that fingerprint scanners and other biometric scanners are far from being widely used for second factor authentication. Therefore, additional authentication typically involves a numeric code that is sent to your device and can only be used once.

More and more services support a specialized smartphone application “Authenticator”. The user must first configure the service to work with this application using a specific set of codes. The application can be used anywhere; it doesn’t even require an active Internet connection to work. The undisputed leader among such applications is Google Authenticator (distributed free of charge on Android and iOS). Authy and Duo Mobile are designed to perform similar tasks and are more attractive appearance. LastPass also launched a separate LastPass Authenticator for iOS platforms, Android, Windows 10 Mobile and Windows Phone 8.1. Security codes in authenticator apps are synced between accounts, so you can scan the QR code on your phone and get six-digit code access in the browser.

Please note that setting up two-factor authentication (2FA) may interfere with other services. For example, if you set up two-factor authentication with Microsoft, you may experience problems with Xbox Live on Xbox 360. The Xbox interface does not have the ability to accept a second passcode. In these cases, you need to apply the application password - this is the password that is generated on the main website for use specific application. Xbox Live with App Passwords supports Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr integration. Fortunately, the need for application passwords.

Remember that attackers are constantly looking for ways to hack your accounts. Therefore, using two-factor authentication, although it takes a little more time to log in, allows you to avoid serious problems with your personal data.

Two-factor authentication is based on the use of not only the traditional login-password combination, but also an additional level of protection - the so-called second factor, the possession of which must be confirmed in order to gain access to account or other data.

The simplest example of two-factor authentication that each of us constantly encounters is withdrawing cash from an ATM. To receive money, you need a card that only you have and a PIN code that only you know. Having obtained your card, the attacker will not be able to withdraw cash without knowing the PIN code, and in the same way will not be able to receive money if he knows it, but does not have the card.

The same principle of two-factor authentication is used to access your accounts on social networks, mail and other services. The first factor is the combination of username and password, and the second factor can be the following 5 things.

SMS codes

Ken Banks/flickr.com

Verification using SMS codes works very simply. As usual, you enter your username and password, after which an SMS with a code is sent to your phone number, which you need to enter to log into your account. This is all. The next time you log in, a different SMS code is sent, valid only for the current session.

Advantages

  • Generate new codes every time you log in. If attackers intercept your username and password, they will not be able to do anything without the code.
  • Link to phone number. Login is not possible without your phone number.

Flaws

  • When there is no signal cellular network you will not be able to log in.
  • There is a theoretical possibility of number substitution through the service of the operator or employees of communication stores.
  • If you log in and receive codes on the same device (for example, a smartphone), then the protection ceases to be two-factor.

Authenticator apps


authy.com

This option is in many ways similar to the previous one, with the only difference being that, instead of receiving codes via SMS, they are generated on the device using special application(Google Authenticator, Authy). During setup, you receive a primary key (most often in the form of a QR code), on the basis of which one-time passwords with a validity period of 30 to 60 seconds are generated using cryptographic algorithms. Even if we assume that attackers can intercept 10, 100, or even 1,000 passwords, they can be used to predict what the next password, is simply impossible.

Advantages

  • The authenticator does not require a cellular network signal; an Internet connection is sufficient during initial setup.
  • Supports multiple accounts in one authenticator.

Flaws

  • If attackers gain access to primary key on your device or by hacking the server, they will be able to generate future passwords.
  • If you use an authenticator on the same device you are logging in from, you lose two-factor functionality.

Login verification using mobile applications

This type of authentication can be called a hodgepodge of all the previous ones. In this case, instead of asking for codes or one-time passwords, you must confirm the login from your mobile device With installed application service. Stored on the device private key, which is checked on every login. This works on Twitter, Snapchat and various online games. For example, when you log into your Twitter account in the web version, you enter your username and password, then a notification arrives on your smartphone asking you to log in, after confirming which your feed opens in the browser.

Advantages

  • You don't need to enter anything when logging in.
  • Independence from the cellular network.
  • Supports multiple accounts in one application.

Flaws

  • If attackers intercept your private key, they can impersonate you.
  • The point of two-factor authentication is lost when using the same device to log in.

Hardware tokens


yubico.com

Physical (or hardware) tokens are the most in a reliable way two-factor authentication. Being separate devices, hardware tokens, unlike all the methods listed above, will under no circumstances lose their two-factor component. Most often they are presented in the form of USB keychains with their own processor that generates cryptographic keys that are automatically entered when connected to a computer. The choice of key depends on the specific service. Google, for example, recommends using FIDO U2F tokens, prices for which start at $6 excluding shipping.

Advantages

  • No SMS or apps.
  • No mobile device required.
  • It is a completely independent device.

Flaws

  • Need to buy separately.
  • Not supported in all services.
  • When using multiple accounts, you will have to carry a whole bunch of tokens.

Backup keys

Essentially it's not separate method, but a backup option in case of loss or theft of a smartphone, which receives one-time passwords or confirmation codes. When setting up two-factor authentication in each service, you are given several backup keys for use in emergency situations. With their help, you can log into your account, unlink configured devices and add new ones. These keys should be stored in a safe place, and not as a screenshot on a smartphone or text file on the computer.

As you can see, there are some nuances in using two-factor authentication, but they seem complicated only at first glance. What should be the ideal ratio of protection and convenience, everyone decides for themselves. But in any case, all the troubles are more than justified when it comes to the security of payment data or personal information, not intended for prying eyes.

You can read where you can and should enable two-factor authentication, as well as which services support it.



Related publications: