- Goal 1
Set Up Multi-factor Authentication
This is a long one, but it's an important foundation to build for this and later steps.
What is multi-factor authentication?
It's a way of logging in to your online services and other systems where you prove that you're you in multiple ways. You're already used to providing a single factor of authentication: your password. Now you just need to add another!
The three categories of MFA are:
- Something you know (like a password or PIN)
- Something you have (like a mobile device or security key)
- Something you are (like a fingerprint or face scan)
You already have your new password from the last step, so we're just going to add a second factor. We're going to use #2, “something you have,” and that something will be your mobile device. Or more specifically, an app on your mobile device.
Why use MFA?
Simply put, to make it just a little harder for bad actors to get into your accounts. In the case that someone finds, intercepts, or guesses your password, the second factor will be another hurdle for them to pass.
If they find your password on your desk, see you typing it in somewhere, or trick you into giving it to them online (it happens!) they still need access to your mobile app to get into your account. And what's better is that the mobile app code changes every 30 seconds. This can make hacking into your accounts a bit of a moving target.
Choosing an authenticator app
The specific type of second factor that we'll be using is called TOTP (or Time-based One-Time Passwords). In short, they are six-digit codes that change every 30 seconds. They work even when you don't have an internet connection, and they're a relatively safe and easy way to add a second factor to give you MFA.
There are many TOTP mobile apps you can choose from, but we're going to use Authy in this guide. If you already have a favorite, feel free to keep using it. As long as your TOTP app is “Google Authenticator compatible,” you should be fine.
Authy has some extra features that we like, so we recommend giving it a look:
- Encrypted storage
- Touch and Face ID locking
- Backup Syncing
These features are optional, but the backup and syncing can be extra helpful when you lose your mobile device.
Already use SMS for your MFA?
SMS or text messages are a very insecure way to receive your second factor code. It has become quite common for bad actors to intercept SMS messages and use this to break into online accounts. It's best to stay away from SMS unless there is no other option.
Setup Authy as your MFA app
Start by installing Authy on your mobile device. Here are Authy's directions for doing so:
We don't recommend installing Authy on your desktop or laptop unless this is your only option.
After you've installed Authy, launch it and walk through the initial setup process. It'll help you create an Authy account, which just means entering your mobile number and email address. Both will be important if you ever need to recover your Authy account.
From there, you can work through these optional, but recommended, steps:
- Enable encrypted backups (read more about this below)
- Enable a PIN and Touch ID or Face ID (for keeping the app and codes safe)
- Use the multi-device feature to sync another device (if you have a second phone or tablet, this can be helpful)
Enable encrypted backups in Authy
While there can be downsides to storing your authentication codes in the cloud, for most folks the pros outweighs the cons.
Authy backups are encrypted and should only be able to be restored by you. You can read more about their backup and encryption processes here.
Authy backups can be very helpful in cases when you lose or damage your mobile device, or simply when you get a new one. As you collect more authentication codes, transferring or attempting to restore them becomes a bigger and bigger task.
If you don't feel that this is right for you, simply leave backups disabled.
If you'd like to proceed, make sure you follow the advice from the previous step to create a strong and unique password. Since this will be used for backup encryption, you should opt for a longer password or phrase, preferably 60+ characters. Then add it to your temporary paper storage.
Index card with example passwords
You'll then use this new unique password for your Authy encrypted backups. Remember, you can use the Bitwarden Password Generator site to make this simple.
Here are Authy's instructions for enabling encrypted backups:
Enable MFA in your email account
Now it's time to put this new power to good use. You're going to enable MFA on your email account and connect it with the Authy app.
Here are Authy's own guides to help you through this step:
Sadly, Apple, Yahoo, and some other providers don't offer MFA compatible with mobile authenticator apps. They only offer SMS/text message MFA. In Apple's case at least, their method of doing this is a little better than just regular SMS MFA. Since it's your only option, though, it's way better than nothing.
Don't fret if you got this far with Authy and can't use it for your email. In upcoming steps, we're going to recommend that you enable MFA on other important accounts. It's still essential that you go Authy setup.
Could you use some more visuals?
Here are a couple of videos that may help. We did not make these, but they contain some sound advice:
Authy also provides a really thorough help section, including guides for adding MFA to many other apps and services.
Final, but important, note
You've employed a really great method of MFA for your email account. But it isn't foolproof. You'll still need to be careful not to accidentally give a bad actor your password and your mobile code. If they do manage to get both, they can still get into your accounts.
Later on in the security journey, we'll talk more about protecting yourself from phishing, but in short, always make sure you're typing your passwords and authentication codes into the real site that you mean to. When in doubt, use your favorite search engine or a known bookmark to make sure you're in the right place. Don't rely on email links or directly typing URLs if you can help it.
You've completed the first goal in the Harder to Hack journey. With a more secure email account, you're just a bit harder to hack! Continue on to secure more parts of your digital world.