Online security has become much more important in the last few years. High profile password leaks have demonstrated just how insecure most people’s online accounts are. At Envato Tuts+ we take online security seriously; myself and Johnny Winter, the editor of the site, are huge fans of 1Password.
With 1Password, we don’t even know the passwords for our online accounts. We just remember one secure password that we use to unlock an app that automatically generates, stores and fills in secure passwords. For more details, check out this tutorial on 1Password.
1Password, however, only helps us use better passwords, it doesn’t solve the problem that anyone who managed to intercept a password or force a password reset could, in theory, hack into some of our most important accounts. To eliminate that, the best way is to use an additional factor or step in the verification process.
In my tutorial on enabling Two-Factor Authentication for iCloud, I went into more detail on what exactly two-factor authentication is. If you’re not familiar with it, you should read the introduction to that tutorial before continuing.
In this tutorial, I’all set up Two Step Verification using time-based one-time passwords in 1Password.
Two Step Verification and Time-Based One-Time Passwords
As I explained in the previous tutorial, there are three main methods of authenticating someone:
- something they know—a password
- something they have—a bank card, and
- something they are—biometric data
For true two-factor authentication you need to use two different methods of authentication. With 1Password and time-based one-time passwords you get Two Step Verification but not two factor authentication.
A time-based one-time password uses an algorithm to generate random passwords that are only good for a short amount of time. They’re normally used in addition to a regular password.
When you set up Two Step Verification on a site, it will display a QR code which contains the algorithm the site uses to generate one-time passwords for your account. By scanning this code with 1Password, it will save the algorithm and thus be able to generate matching codes. To keep my own accounts secure, I’ve blurred the QR Codes used as examples in this tutorial.
Support for Two Step Verification isn’t yet wide spread. Fortunately many of the early adopters are important sites that often contain a lot of personal information such as Gmail, Facebook and Dropbox.
In this tutorial I’ll configure Two Step Verification for my Google Account and my Dropbox accounts. The process is similar for every service, you just have to dig around the settings until you find the right option. For a list of websites that support Two Step Verification, check out TwoFactorAuth.org.
Two Step Verification and Google
To set up 1Password for Two Step Verification you need to add an additional field to each website’s entry.
Open 1Password and navigate to the login you want to add Two Step Verification for. In my case, it’s my Google account.
Click Edit and then enter 2FA or something similar as a Label in a new field. Click the Ellipses icon and select One-Time Password.
Open a browser window side-by-side with 1Password, log in to your Google account and navigate to Sign-in & Security. Select 2-Step Verification and follow the walk through.
You’ll be required to enter your password and then add a phone number. A six-digit code will be texted to you. Enter that code to proceed.
Once you’ve configured a phone number, select Authenticator App from Set Up an Additional Second Step and then iOS. This will generate a QR code.
In 1Password click on the small QR Code icon next to your new field. This will open a QR Code scanner. Drag the scanner over the generated code and wait until it reads it. This will automatically fill the 2FA field. Click Save and you’ll see a six digit code in 1Password with a ring beside it. The ring indicates for how much longer the code is valid.
Back in the Google account, click Next and then enter the six digit one-time password to confirm the setup. Once you do, Two Step Verification will be enabled for your Google account.
Two Step Verification and Dropbox
Setting up Two Step Verification is similar for Dropbox. Log in and head to the account preferences. Select the Security tab and then under Two-Step Verification choose Click to Enable.
You’ll be prompted to choose how you want to receive verification codes. Choose Use a mobile app. This will generate a QR code. Follow the same procedure as before.
Every account you enable Two Step Verification for will have a slightly different process. Finding which option to enable in settings can take some digging. Before doing so, use TwoFactorAuth.org to confirm that it’s available on the service you want to use.
You will be able to access your time-based one-time passwords from any 1Password app you have set up to sync with your primary vault. Although the Mac app, which I used in this tutorial, makes setup easiest, the iOS app is more convenient for when you need to log in to an important account from a different computer.
You should make enabling Two Step Verification for your accounts an important part of regular security audits. More services are adding it as an option all the time.