8 Comments

2Fa sounds good, but I do not have or want a cell phone. So I bought a pair of Yubico keys. It does not work with my bank or 3 credit cards. I am not interested in chit chat programs. So far, useless. Maybe the next time I use login.gov for the VA?

Expand full comment

Right. Hardware keys are still being treated as a novelty rather than a mainstream solution. For your case, I recommend implementing two solutions.

First, use TOTP support in your password manager, which will allow you to receive codes in your desktop browser that are the same as those you would get from an authenticator app on a smartphone.

Second, sign up for a free Google Voice account and use its phone number to receive text messages (again, in your computer's browser) for sites that insist on sending text messages. Problem solved, no smartphone required.

Expand full comment

Thank you. I had to look up TOTP. I finally got my Yubikeys to work with 1Password. It was not easy after working on computers since 1969. I had to install a Yubikey Manager and Yubikey Authenticator. And then configure 1Password to use it. Progress. I will try login.gov next.

Expand full comment

I explained TOTP right in the post! I even included a diagram.

Anyway, I am referring to something separate. You don't need your YubiKey to use TOTP in 1Password. You can use 1Password as an authenticator app. I will add this link to the post so other people can find it as well, but here you go: https://support.1password.com/one-time-passwords/

Expand full comment

Sorry. I skipped the part about QR codes because I thought they only worked with cell phones. I will look for the cut and paste strings. Next time a site calls me or sends an email, I will try to convert it. Thanks for all your help.

Expand full comment

Free Google Voice accounts are only available in the US.

As for using TOTP support in the password manager, I do it (because it's so convenient) but I have mixed feelings about having all my secrets in one app.

Expand full comment

Indeed, but I believe Cecil is in the U.S., so it is an option for him. And honestly, I suspect the number of people who are 1) interested in using 2FA and 2) opposed to using a mobile phone is ... pretty small?

As for TOTP in a password manager, I share those qualms. I use a separate authenticator app for sites that are critical and only use TOTP in the password manager for non-essential sites. Still, with a strong+unique master password the risk seems manageable.

Expand full comment

Why do most of the most important websites (financial sites) only use SMS/email for 2FA? btw- I think this series has done an excellent job of laying out the steps needed to harden your security. In addition to everything you've talked about I think everyone should freeze their credit reports. I realize that's something different than what you're discussing but I think it's very important.

Expand full comment