Tools used in this recipe
If you have online accounts that store sensitive data, there's a good chance you have encountered two-factor authentication (2FA). When you log into your bank or healthcare provider's website or app and you are prompted to send a code to your phone that you then have to enter, that's a form of 2FA. 2FA is a subset of multi-factor authentication. It describes the additional level of security provided by having to use two pieces of information to prove your identity to a website or system. In the case of a bank website asking you for a code they sent through a text message, your two pieces of information are:
- Something you know - Your password for the particular site.
- Something you have - Access to the mobile phone your bank has listed for your account. The bank sends you a code to prove that you have access to that phone number.
Having either individual piece of data would provide a level of security, but for a malicious person to get into your account they would have to both know your password and have access to your phone, which is a higher hurdle.
Because text messages using the SMS protocol are potentially vulnerable to SIM jacking and other threats, several companies offer dedicated solutions for implementing 2FA. In this Recipe we'll use the free Google Authenticator app for iOS and Android phones, but companies such as Duo Security, Authy, and Yubico all offer solutions in this space at various price points.
Implementing 2FA With Google Authenticator
Start by downloading Google Authenticator for iOS or Android. Once you have the app installed you can start connecting it to sites. Since we used Namecheap for registering a domain name in another Recipe and it supports 2FA, we'll use that site as an example. To get started, log into Namecheap. Once logged in, access your account in the upper right and select Profile → Security → Two-Factor Authentication.
Namecheap lists Device Authentication as Top Security, and while it's true that using a hardware device provides an extra layer of security the devices cost money, and for an early-stage startup the tradeoff in using an authentication app is worthwhile. As your startup grows, implementing device-based 2FA is something you should evaluate.
Click Enable under the box marked Authentication App (TOTP). You'll be prompted to re-enter your password. Because adding 2FA with an authentication app like Google Authenticator will lock you out of your account if you lose your phone, Namecheap gives you the option to download backup codes. Download these and store them in a safe place such as your password vault. Click Next.
Namecheap will then show a QR Code. Open the Google Authenticator app on your phone and tap the multi-colored button in the bottom right, then tap Scan a QR code.
Once you have added it, you'll see a six-digit code with a circle that shrinks over time, and glows red when it's almost gone before the number changes and the circle goes back to being full.
What's happening behind the scenes is that these codes are regenerated every 30 seconds and are synchronized between your device and Namecheap. Entering the code proves to Namecheap that you have access to the second form of authentication, your phone. Enter the six-digit code in the field on this page and click Finish.
Once you have entered the code successfully, 2FA with Google Authenticator will be enabled for your account. Now when you log in to Namecheap, in addition to username and password you'll need to open the Authenticator app on your phone and enter the code to finish the login process.
Implementing 2FA for your Google account
Because of the popularity of Google accounts and the number of startups that establish G Suite accounts in early stages, this Recipe also includes a section on how to set up 2FA for your Google or G Suite account.
Get started by logging into your Google account. Then select Security from the panel on the left side. Click 2-Step verification, then click Get started. You'll be prompted to re-enter your Google account password.
You should see a screen titled Use your phone as your second step to sign in. If not, select Show more options at the bottom of the page and switch to that authentication method.
Click Continue. You'll be prompted to select a backup mechanism for authenticating, in case you are unable to access your phone to confirm the 2FA prompt. By default Google will ask for a phone number, but if you lose your phone and can't access the prompt you likely also will not be able to access a text message. So select Use another backup option. Google will generate ten access codes. Download these and store them somewhere safe, such as your password vault.
Select Turn on. Google will enable 2FA for your account. Now by default whenever you sign in to your account on a new device, after entering your email and password you'll be prompted on your phone to confirm the login.
Your phone will display a message asking you to confirm the login attempt (note that the workflow may be different on an Android device). Once you accept the confirmation by tapping Yes, it's me, you'll be logged in and will not have to repeat this process on this browser or device.
If your startup uses G Suite you may need to enable 2FA for accounts in the admin console before users can set them up. To get started, log in to the G Suite Admin Console.
Open the menu on the left side and select Security. If you don't see it in the list, select Show more.
Scroll down to the section named 2-Step Verification and click to expand the panel. To enforce 2FA for all accounts in your domain, check the box marked Allow users to turn on 2-Step Verification then set the Enforcement radio button to On. Give your users some convenience by setting the New user enrollment period to 1 Week (so that new users can get their accounts set up before being prompted to set up 2FA), and check the box marked Allow user to trust the device (so they aren't prompted to re-authenticate on devices that they use frequently).
Under Methods, select Any except verification codes via text, phone call. This will force your users to set up 2FA using a security key. Then click Save. The next time your users are prompted to log in to their Google Accounts they'll be offered an opportunity to set up 2FA, and after one week they'll be forced to enable it. Directions for setting up 2FA for an account in your G Suite are the same as those for setting up a personal Google account.