Gold-level Patrons: download or watch in HD
Edited from the full Ask Leo! Live Event video, available below.
Transcript
" href="https://askleo.com/glossary/protocol/" data-mobile-support="0" data-gt-translate-attributes='[{"attribute":"data-cmtooltip", "format":"html"}]' tabindex="0" role="link">protocol, but in the worst case, you can actually plug this in, fire up Notepad, hit the button, and it acts as a virtual keyboard and you can see what looks like a random string of numbers get entered. That is the confirmation that you have the key in your possession.Like the authenticator app that we just did, your key is associated with your account. The information that’s stored on your key is unique to the key; every key is different. And when you associate your key with the account like this step is about to do, then what you are doing is providing or setting up a permanent and unique link to this specific key; it becomes your second factor. For people that like physical keys have, you know, like, you can see I’ve got this one on a small carabiner so I can carry it with me.
For people that like physical keys, it is extremely secure. You can add more than one and I know of at least one reader who suggests you always get two; you associate two, and you store one safely in a safe for example, so that in case you ever lose the first one, you always have the second one to fall back on. It’s very similar to my recommendation that you set up a recovery code and store that in a safe place. I’m not gonna actually associate that here today, simply because my machine you’re looking at is a virtual machine, and we have to jump through a couple of hoops to make my physical USB port for this key, actually associated with a virtual machine. But that’s what you would do if you did a virtual, if you used a security key.
Let’s see, Windows Hello is the fingerprint reader on your machine. If you have one, I’m not going to touch on that right now; trusted devices are simply those machines that it thinks you have logged in on. If, for example, I’ve signed in on my laptop, I’ve jumped through the two-factor authentication hoop to make sure that I don’t need to enter two-factor authentication over and over again. If I then lose that laptop, there are two approaches to dealing with that.
One is to immediately come here and remove all the trusted devices associated with your account, which means that every device will the next time you log in with your account, require that you enter that second factor for two-factor authentication. The other thing, of course, that we more often recommend is that you change your password.
That is also a good option. And in my recommendation, honestly, is that you do both security contact info. So I’ve mentioned a couple of times that when you don’t have your second factor, or in some cases when the service wants some additional verification that you are who you say you are, they will accept your password, but then require that you enter a code sent to an alternate email address.
These are those alternate email addresses. You can have multiples of these. When you get the request for a security number sent to your alternate email address. It may send them to more than one of these or it may allow you to select one of them to send to. It depends on the service, I believe Microsoft lets you select which one, you’ll notice that these accounts are also labeled as will receive alerts. So for example, as you add second factor authentication devices to a machine, or especially if you remove a second factor authentication option from an account, the system will send an alert message to make sure that you know that this happened in case somebody unauthorized does this without your permission.
The other thing that I do want to do though is I do want to go ahead and I am going to go ahead and actually add a phone number. And the phone number that I’m going to add may surprise you. I have to see if I can bring it up here real quick. Not the number itself. And I honestly don’t care if you know this number, because it’s not a number that I ever answer. So, and it is texting that number that number, a code that I have to enter that actually came in already 4823. And I have now added a text messaging number to my account. You can see it says won’t receive alerts.
Those are options. You can see change alert options, you could have a text you everything’s every time something happens on your account. The magic behind that specific number, and the reason I’m bringing it up right now is that that is actually a Google Voice number. You’ll notice I didn’t grab my phone to receive the SMS. If you set up a Google Voice number, which is still free you can use that as an SMS target. For any of the services that you might be interested in using that for, I happen to use it for my voicemail, I’ve got a couple of them. I never answer that number; it always goes directly to voicemail and any text messages that I get received by that, by that number get ignored. But you can see that it’s great for the scenario where we’re using today, where I can set up this example.
One of the reasons I bring that up specifically is because it is a situation where the most common lockout situation involving two-factor authentication for people that are traveling, especially when they’re traveling overseas, they when they’re overseas. This is one of the times that Microsoft will automatically trigger a request for additional validation that you are who you say you are. If you’ve enabled two-factor authentication, then that will be enough. If you’ve got the authenticator app that you’re using as your second factor, that should be enough because that does not require connectivity.
It simply requires that your phone, your device that has that second factor, have the right time. It’s all time based. But as long as it’s close on time, then that second factor you enter from the mobile device app will work. However, not everybody does that, not everybody has two-factor authentication enabled. The second factor then that Microsoft goes to is your alternate email addresses – the ones that we’ve set here, or in some cases, the SMS number that we’ve set here. If you can’t access those email accounts or you don’t have access to your phone, because you’ve traveled overseas and are outside of your carriers area, you can’t log into your account. I bring this up specifically because this Google Voice number if I could log into my Google number or if I could log into my Google account that is associated with this, I can receive SMS text messages. And I can then use those as my second factor for things like my Microsoft account as I’ve done here.
So we now have a couple of different email addresses we can use when logging in. We have security info, I think this is Yeah, that’s just adding more phone numbers, more email addresses if you want to, and we can get ourselves alerted. Let’s do something dramatic. I’m going to fire up a different browser just so that we can see if so outlook.com will sign in and now it’s asking for the email address. I have one. The password LastPass again is remembering it for me; I’ll go ahead and have a keep me signed in. And now it’s asking me for the code. I will say go ahead, don’t ask me again on this device.
The code currently showing on my device is, is 59 – 594434. And we’re logged in successfully using two-factor authentication. That was a lot about two-factor authentication specifically for Microsoft. The important thing that I want to leave you with in talking about two-factor authentication is, it is by far the single most important way to secure your account. Even if your password is ever disclosed accidentally or through a breach, the person that has your password cannot login to your account unless they have your second factor, they won’t. Your second factor will be on your mobile phone. I
It’ll be the key in your pocket. It’ll be the alternate email address that you have access to. Set those up. Make sure that they’re set up, make sure especially in the case of alternate email addresses and phone numbers, make sure that they are set up and that they are kept current. One of the very common ways I hear about people losing access to their account is that they set them up a years ago with an alternate email address that they no longer have access to. They lose access to their account, they forget their password.
There’s nothing we can do. So make sure you avail yourself of all of the options available in whatever surface you have. Primary, alternate email addresses, SMS, alternate phone numbers, two-factor authentication, multiple types of two-factor authentication, multiple devices if that’s what you want to secure yourself with, a recovery code, make sure you’ve got a recovery code set up saved and squirreled away somewhere safe. And that way, especially for those all important accounts, you may get your password hacked; it could happen. You won’t care because nobody will be able to get into your account without your second factor.
Full Ask Leo! Live Event
Download: (640×360 resolution): Setting Up Two-Factor Authentication — Ask Leo! Live (333MB)
All patrons: download or watch in HD
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: The normal HD recording — 1920×1080 aka 1080p — didn’t happen because I neglected to push a button. “HD” downloads for this video are at 1280×720, aka 720p.
I live in Germany. When I travel to the US or any other country, I can still receive SMS text messages on my phone. It’s even free. I can receive texts in Germany on my US T-Mobile phone. I guess that’s because it’s a German company. I find it strange that other US carriers don’t have a roaming feature which allows this. You can get around this by using a Magic Jack number as a recovery number for traveling.
It would be inconvenient to have to plug in a Magic Jack away from home but I don’t use my physical Magic Jack. I installed the Magic App on my cell phone and use that. I can call, text, and receive calls and texts from the US from wherever I am in the world as long as I have Internet access. Google Voice, which Leo mentions in this video, would be a good alternative to that.
I’ve also downloaded an outlook.com recovery code to recover my account if all else fails.
Today I set up my Outlook account for two-factor authorization using Google Authenticator. The result was only mildly annoying, until I tried to log into Thunderbird on my desktop: Nada, no way could I log in, and I haven’t been able to find a work-around. I have since disabled 2FA in Outlook, at least until I can find a way to resolve this issue, . . . Any suggestions?
You need to create what’s called an “app password”. More here: https://askleo.com/enabled-two-factor-authentication-now-email-program-cant-log/
Thanks for that! I eventually managed to get things properly set up, but much head-scratching preceded that, until realizing I had to reinstate 2FA before I could actually SEE the option to create an app password 🙁 My bad! . . . We now return you to your regularly scheduled programming ; )
Cheers!
Multifactor authentication is a great tool against ransomware and other malware
These ransomware hackers gave up when they hit multi-factor authentication — ZDNet