A Better Way to Do One Time Passwords

Note! Feb 13 2023: Twilio has ended the life of Authy for the desktop as of March 19, 2024. Do not use it. Both KeePass and Bitwarden Premiere ($10/year) offer Time based One time passwords with their password manager. Others do as well. I still like the idea of having it on the desktop, but younger people tend to want to force everyone to use their phones. KeePass's implementation is a bit tricky. If you've been using Authy, transition to something else.

Preview:

Two-factor authentication (2FA) can be a hassle and inconvenience. Here's how to set it up to be more secure and easier to use.

Two-factor authentication is the attempt sites make to appear more security conscious. A site will send a 6-digit token to your phone or sometimes to your email address. You are forced to enter it. If your password was compromised and a miscreant attempted to log in from a remote location, then it could save your account.

The problems are that they are inconvenient, don't add as much security as people would like because your mobile phone is insecure and present difficult problems for others who need to access your accounts if you are incapacitated.

If you access your important websites from your computer at your office or home, not your phone, then here is how to make the process more secure and easier. This will help you with sites which actually care about security and support authenticator apps, so probably not your bank. But, Amazon, Paypal, Google, Square, Mailchimp, Nord, Bitwarden, Uber, Twilio, LinkedIn, Instagram, Twitter, Apple, Dropbox, Microsoft and many more support them.

A Brief Explanation

Here's how it works. The website generates a second password for you, so you have both your regular login password, and an additional password. That second password is combined with the time and fed into a formula to produce a short token. These tokens are usually 6 digits long. Every 30 seconds, the time changes and the app produces a new token.

The tokens used at login are worthless to the hacker, because in less than 30 seconds, they are discarded. Now a hacker needs to get both your passwords to get into your account. Usually, websites let you log in without the extra token if you are logging in from your normal browser and computer and they recognize the cookie they put on your computer. If you enable this, you retain protection against someone using another computer to try and access your account, but lose it if they steal your computer.

Many companies offer these authenticator apps. The formulas are well-established encryption algorithms, so anyone can combine the password with the time and run it through the established formula. Remember, you must keep both your first and second passwords safe.

Step 1. Get Authy from Twillio

While Google and Microsoft and other companies offer authenticator apps, I chose Authy from Twillio because of its simplicity, clean Windows (and Mac) desktop apps, established brand and excellent ratings. Also, I chose it because I didn't want Microsoft or Google to control my secondary passwords. Twillio offers Authy for free.

Download and install the program and set up your Authy account. You won't need the account if you don't want to use advanced features. The Authy app will store and use your second password from each website, but won't know your primary password.

Step 2. Decide Where to Store the New Passwords

You will get a new password from every website that you setup with your new authenticator app. Where are you going to put them? The simplest solution, which I recommend, is to put them in the notes for Authy in your password manager. This has the advantage of extreme simplicity and you'll be able to find them easily. It has the disadvantage of storing your second password in the same place as your original password. If someone gets your password safe, then you've lost the added protection these tokens could provide.

Another good option is to store them in a simple Word or LibreOffice document and save encrypted. LibreOffice has a checkbox on save as to encrypt the file. This is safer, but you'll need to remember another password (unless you use the same one you use for your password safe). You'll also need to remember where you put the file and what you called it. Finally, you'll need to update it when you add a new website.

For those of you without a password safe (Keepass, KeepassXC, Bitwarden and 1Password are all good options). Get one. Learn to use it. There is no reason to read further. You haven't taken the first step, no reason to take the second one.

Step 3. Add Your First Website!

I'll take Amazon as an example.

Next Get Started with Two-Step Verification
Instead of selecting the insecure Phone Number, choose Authenticator App
Ignore the QR Code and choose Can't scan the barcode. Now Amazon gives you your master password. Your app will generate your tokens with it. Copy it and paste it into your password manager. This is important. If something goes wrong, you'll may need the master password.
Open Authy and choose Add Account and paste in your password. Again, IGNORE the QR code crap.
When you add the account, scroll down and choose the Amazon logo
To verify that your app and Amazon are in sync, you'll need to verify the password by entering your first 6-digit token.
Click the Turn on Two-Step Verification button

That's it. Here's how it looks.

You can just press the copy button and then paste the 6-digit token into the Code slot. No need to even type it. Notice how it shows the time as the 30 second switch ticks away!

Step 4. Rinse and Repeat

Just repeat this for other accounts you want to protect with a TOTP (Time-based One Time Password). Sometimes websites will ask you if you want to use Google's Authenticator app. Just say yes. It doesn't matter which app you use. If you have the correct master password you can produce the correct token.

What is all the QR Code Stuff?

These apps were originally designed for use with cell phones and long passwords are hard to type, so sites embed the password and website name in a QR code. The problem that creates is you need to print out the QR code, label it and save it. Even doing so, you never know your password and if anything goes wrong, or you change authenticator apps, you can end up with a mess. It is best to maintain control of your master, token generating passwords. So, get them at the very beginning and record them in your password safe before you turn on 2FA (2-factor authentication).

I'd Want It on My Phone Too

Authy has apps for all your mobile devices, but I put 2FAS on my phone instead of Authy. Partly to have two separate programs, and partly because it is open source. It works great. I keep a copy of my password safe on my phone, so I added each account into my phone authenticator app then copied the master password into it. Both programs generate the same tokens (TOTPs) because they run the same master password plus the time through the same formula just like the website does.

Having it on two devices (my computer and phone) is useful. If I lose one of them, or one breaks, I can still log in to my accounts using the codes from the other one.

One-time Backup Codes

Some places offer one-time backup codes. Dropbox and Mailchimp both did this. These are codes you can only use once. Copy and paste these into your authenticator notes in you password safe as well. If you lose your authenticator app, or it malfunctions, you can use these codes (one time each), instead of the authenticator app generateed one.

Other Features

Authy has a couple other features I do not use, but you may find beneficial,

Backup. You can turn on backup, and Authy will back up your accounts. I'm sure it is fully encrypted and secure, but I have all the master passwords in my password safe and it gets backed up many times in different ways. This is mostly useful if you were mainly using this on a phone and didn't record all the master passwords in a place that gets backed up. I'll handle my own backups.
Sync. If you use Authy on all your devices, you can sync all the apps through the cloud. If you add one on the desktop, it'll automatically sync to your phone. Personally, I'll spend the entire minute or so to add it manually.
Disable a device. If you lost your phone, you could disable it from your Windows computer.

All these features require passing your master passwords through their cloud service. I'd prefer keeping everything local. The website doesn't send me anything. I don't store things anywhere except locally. However, if I traveled more and used mobile devices to access my accounts often, then, these features would be more useful and I wouldn't hesitate to add them.

Glossary

Website or account: The place you want to log into securely.
OTP or One time password: A code, usually 6 digits, sent to you by the website to add a second layer of protection to your account.
Token or Time-based One Time Password (TOTP): A special kind of OTP which doesn't require anything to be sent to you. You generate it and the website also generates it based on a password and the time. This is much more secure than a simple OTP.
2 step or 2 factor authentication (2fa): An added layer of security in addition to just the username and password. This is inclusive of both OTP and TOTP.

Date: May 2023

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		A Better Way to Do One Time Passwords Note! Feb 13 2023: Twilio has ended the life of Authy for the desktop as of March 19, 2024. Do not use it. Both KeePass and Bitwarden Premiere ($10/year) offer Time based One time passwords with their password manager. Others do as well. I still like the idea of having it on the desktop, but younger people tend to want to force everyone to use their phones. KeePass's implementation is a bit tricky. If you've been using Authy, transition to something else. Preview: Two-factor authentication (2FA) can be a hassle and inconvenience. Here's how to set it up to be more secure and easier to use. Two-factor authentication is the attempt sites make to appear more security conscious. A site will send a 6-digit token to your phone or sometimes to your email address. You are forced to enter it. If your password was compromised and a miscreant attempted to log in from a remote location, then it could save your account. The problems are that they are inconvenient, don't add as much security as people would like because your mobile phone is insecure and present difficult problems for others who need to access your accounts if you are incapacitated. If you access your important websites from your computer at your office or home, not your phone, then here is how to make the process more secure and easier. This will help you with sites which actually care about security and support authenticator apps, so probably not your bank. But, Amazon, Paypal, Google, Square, Mailchimp, Nord, Bitwarden, Uber, Twilio, LinkedIn, Instagram, Twitter, Apple, Dropbox, Microsoft and many more support them. A Brief Explanation Here's how it works. The website generates a second password for you, so you have both your regular login password, and an additional password. That second password is combined with the time and fed into a formula to produce a short token. These tokens are usually 6 digits long. Every 30 seconds, the time changes and the app produces a new token. The tokens used at login are worthless to the hacker, because in less than 30 seconds, they are discarded. Now a hacker needs to get both your passwords to get into your account. Usually, websites let you log in without the extra token if you are logging in from your normal browser and computer and they recognize the cookie they put on your computer. If you enable this, you retain protection against someone using another computer to try and access your account, but lose it if they steal your computer. Many companies offer these authenticator apps. The formulas are well-established encryption algorithms, so anyone can combine the password with the time and run it through the established formula. Remember, you must keep both your first and second passwords safe. Step 1. Get Authy from Twillio While Google and Microsoft and other companies offer authenticator apps, I chose Authy from Twillio because of its simplicity, clean Windows (and Mac) desktop apps, established brand and excellent ratings. Also, I chose it because I didn't want Microsoft or Google to control my secondary passwords. Twillio offers Authy for free. Download and install the program and set up your Authy account. You won't need the account if you don't want to use advanced features. The Authy app will store and use your second password from each website, but won't know your primary password. Step 2. Decide Where to Store the New Passwords You will get a new password from every website that you setup with your new authenticator app. Where are you going to put them? The simplest solution, which I recommend, is to put them in the notes for Authy in your password manager. This has the advantage of extreme simplicity and you'll be able to find them easily. It has the disadvantage of storing your second password in the same place as your original password. If someone gets your password safe, then you've lost the added protection these tokens could provide. Another good option is to store them in a simple Word or LibreOffice document and save encrypted. LibreOffice has a checkbox on save as to encrypt the file. This is safer, but you'll need to remember another password (unless you use the same one you use for your password safe). You'll also need to remember where you put the file and what you called it. Finally, you'll need to update it when you add a new website. For those of you without a password safe (Keepass, KeepassXC, Bitwarden and 1Password are all good options). Get one. Learn to use it. There is no reason to read further. You haven't taken the first step, no reason to take the second one. Step 3. Add Your First Website! I'll take Amazon as an example. Log in to your account and choose Settings then select Login & Security Settings. Next Get Started with Two-Step Verification Instead of selecting the insecure Phone Number, choose Authenticator App Ignore the QR Code and choose Can't scan the barcode. Now Amazon gives you your master password. Your app will generate your tokens with it. Copy it and paste it into your password manager. This is important. If something goes wrong, you'll may need the master password. Open Authy and choose Add Account and paste in your password. Again, IGNORE the QR code crap. When you add the account, scroll down and choose the Amazon logo To verify that your app and Amazon are in sync, you'll need to verify the password by entering your first 6-digit token. Click the Turn on Two-Step Verification button That's it. Here's how it looks. You can just press the copy button and then paste the 6-digit token into the Code slot. No need to even type it. Notice how it shows the time as the 30 second switch ticks away! Step 4. Rinse and Repeat Just repeat this for other accounts you want to protect with a TOTP (Time-based One Time Password). Sometimes websites will ask you if you want to use Google's Authenticator app. Just say yes. It doesn't matter which app you use. If you have the correct master password you can produce the correct token. What is all the QR Code Stuff? These apps were originally designed for use with cell phones and long passwords are hard to type, so sites embed the password and website name in a QR code. The problem that creates is you need to print out the QR code, label it and save it. Even doing so, you never know your password and if anything goes wrong, or you change authenticator apps, you can end up with a mess. It is best to maintain control of your master, token generating passwords. So, get them at the very beginning and record them in your password safe before you turn on 2FA (2-factor authentication). I'd Want It on My Phone Too Authy has apps for all your mobile devices, but I put 2FAS on my phone instead of Authy. Partly to have two separate programs, and partly because it is open source. It works great. I keep a copy of my password safe on my phone, so I added each account into my phone authenticator app then copied the master password into it. Both programs generate the same tokens (TOTPs) because they run the same master password plus the time through the same formula just like the website does. Having it on two devices (my computer and phone) is useful. If I lose one of them, or one breaks, I can still log in to my accounts using the codes from the other one. One-time Backup Codes Some places offer one-time backup codes. Dropbox and Mailchimp both did this. These are codes you can only use once. Copy and paste these into your authenticator notes in you password safe as well. If you lose your authenticator app, or it malfunctions, you can use these codes (one time each), instead of the authenticator app generateed one. Other Features Authy has a couple other features I do not use, but you may find beneficial, Backup. You can turn on backup, and Authy will back up your accounts. I'm sure it is fully encrypted and secure, but I have all the master passwords in my password safe and it gets backed up many times in different ways. This is mostly useful if you were mainly using this on a phone and didn't record all the master passwords in a place that gets backed up. I'll handle my own backups. Sync. If you use Authy on all your devices, you can sync all the apps through the cloud. If you add one on the desktop, it'll automatically sync to your phone. Personally, I'll spend the entire minute or so to add it manually. Disable a device. If you lost your phone, you could disable it from your Windows computer. All these features require passing your master passwords through their cloud service. I'd prefer keeping everything local. The website doesn't send me anything. I don't store things anywhere except locally. However, if I traveled more and used mobile devices to access my accounts often, then, these features would be more useful and I wouldn't hesitate to add them. Glossary Website or account: The place you want to log into securely. OTP or One time password: A code, usually 6 digits, sent to you by the website to add a second layer of protection to your account. Token or Time-based One Time Password (TOTP): A special kind of OTP which doesn't require anything to be sent to you. You generate it and the website also generates it based on a password and the time. This is much more secure than a simple OTP. 2 step or 2 factor authentication (2fa): An added layer of security in addition to just the username and password. This is inclusive of both OTP and TOTP. Date: May 2023 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk