[Drama] 2FA: Authy official website introduction text reading experience

This is when we started 2FA/two-factor authentication, we encountered a dramatic disaster (Drama), so that a very simple thing took several days to complete. To put it simply, the new knowledge we have learned in this misfortune is best if it can be helpful to everyone.

Article 1: What is 2FA? (click to link)

The official website is to encourage everyone to use its own services, so when introducing concepts or service content, it will use an approachable way, and even stimulate visitors' motivation to learn. This is a good example. The outline is clear, easy to read and easy to read. Understand.

Explain at the beginning why having a password is not enough? At that time, we used very daily reasons. At that time, we were disheartened because of the failure of the operation, and our head was full of heavy black clouds. As I write, my mood begins to move in a cheerful direction. (Otherwise, it is already miserable, who would want to find the direction in the whole string of English words?) (But I will look for it, I really think that I am not clear enough in concept)

Three reasons: human memory is just bad, too many accounts, tired or tired of network security (if not changing all accounts to a set of too simple passwords, you're putting yourself in one place) All accounts and secrets are written down)

• Humans have lousy memories.
• Too many accounts:
• Security fatigue sets in:

Then the article begins to introduce the ways we have encountered in the past to ensure the security of accounts and secrets, such as answering a question that only you know the answer to, and what types of 2FA are there . Knowledge of new words.

It is recommended that you read one by one, and you will understand what we have understood. The outline of what we have done is clear, thick pink is the big mark, and pink is the small mark. When we see the small mark of the third item, we feel excited, because judging that Software Tokens for 2FA is the way we failed this time, our confusion May be on the way to a solution.

Hardware Tokens for 2FA
(: Physical hardware, which may be the oldest form of dual authentication, and later also took the USB route. The disadvantage is that it is too expensive for large enterprises to generally use it for customers)

SMS Text-Message and Voice-based 2FA

Software Tokens for 2FA

Push Notification for 2FA

Other Forms of Two-Factor Authentication
(: fingerprint, iris, face recognition)

SMS messaging authentication and the current OTP of online card swiping belong to the security guarantee of one-time transmission, and will not involve the user's other network and social assets, so it is OK, but similar to Facebook, discord or Gmail, customers who have accumulated long-term use and Once stolen, it will be gone, so recently LikeCoin Discord has adopted to require users to activate 2FA two-factor authentication.

Next, there is a video (Everybody Should 2FA) that is also helpful for us, that is, to actually see how people are operating, because there are apps on desktops, and apps on mobile phones, so when you check your phone and check your computer, which one should come first? For unfamiliar people, this will be a problem. It is better to see the real operation to get the concept: after this thing is installed, it will probably be used .

Finally, if you want to know more about 2FA, there are many learning resources, we also read an article, why Authy App can be used as a backup. Part 2: How Authy 2FA Backups Work and then understand what we did well and why we encountered setbacks.

Let's first look at this screen, which is what you will see if you want to start 2FA on the desktop:

There are two ways to start, QR Code or manual input, let Authy get the Discord account we have, after that, Authy will generate a Token every 30 seconds, and the Token is the six-digit verification code at the bottom of the picture above. . We went to try Facebook later, too. After typing the account password, you have to open Authy to send the six-digit number back to Facebook, and then the login will be successful.

(After the startup is successful, the system will give you a set of ten eight-digit backup passwords, each of which can only be used once. Generate it after use.)

Therefore, when the first article starts to introduce 2FA, it will say that even if your account password is lost or your mobile phone is lost, the design of 2FA (two-factor authentication) can still protect your account and the contents of the account.

By sending a one-time combination of numbers every 30 seconds, your login has an extra layer of security, and people who really want to scare can't use it even if they get that set of numbers.

We installed Authy first when we started 2FA on the desktop and completed the authentication. So we are very happy to go to the mobile phone to repeat the operation, and download the App, and then the Discord on the mobile phone asks us to scan the QR Code or enter a set of six digits to log in again, and there is a drop-down option to enter Backup passwords.

What will you do then?

At that time, our concept was not clear, and we immediately had two thoughts. One wanted to go back to the desktop to see the screen with QR Code and six digits just now (but after setting it up, we couldn’t see it); the other was to go to the mobile phone. Find the Authy App on the Internet. The Authy App also asks us to enter the backup password. The backup password generated by the Discord system is a plain text file. It was hard to see the difference, we later posted to Word to change the font . But this is not the easiest way. It is best to cut and paste it directly. Download the App on the mobile phone from the beginning, and it may be ideal to start it with the mobile phone. In short, in a hurry, we entered the eight-digit number several times and it was invalid, and I didn’t know where to find the six-digit number just now. Super crash. Because we feel that activation is to protect ourselves, in the end, in order to activate, we lock ourselves out and can't get in.

The most correct way is to go directly to Authy on the desktop to get a set of six digits to log in on the day of the incident. This is why when I go to the LikeCoin Discord to ask @leafwind for help , he gets confused. I am very grateful that he told me that the six figures will always change, so that we can reason step by step to find out our problems and establish a correct understanding.

In the second article on the official website, we also pointed out a very interesting article, which is also easy to read to improve understanding in English, about passwords. Salted Password Hashing - Doing it Right

The above is the harvest in the dramatic disaster (drama).