People usually care about increasing their funds, their capital but do neither care about losses nor pay attention to protect their funds/ capital. There are some reasons why they don’t care about it.
- Don’t aware of risks if they don’t protect their accounts.
- Don’t have knowledge.
- Being too lazy (aware of risks, have knowledge, but they don’t do anything to secure accounts).
How many types of authenticators?
- SMS-based/ Email-based/ Voice-based/ Biometric-based authenticator
- 2-factor authenticators (2FA)
- FIDO U2F hardware authenticators
Which one is recommended to use and should be your first priorities?2-factor authenticator softwares. They are free and more secured. Try to use Yubikey if you actually want to secure better with some funds.
Don't use SMS-based authentication if you can do it. Unfortunately sometimes you don't have choice because service providers (like banks) don't only give you that type of authentication. As being said, whenever you can avoid this type, avoid it.
The
first type is less secured and more risky because there are SIM swapping attacks (for SMS, voice code) and if you rely on email, your account will be compromised if hackers have access to your email.
[BEWARE] Sim Port Attack and
SIM swapping protectionWith SMS-based authenticator, you can secure it better by set up PIN code for your SIM card, deactivate lock-screen notifcations. More details in
the guide from Kaspersky.Biometric-based authenticator is risksy because if you pass away, your family members can not get access to your account.
The
second type is more secured and is the one should be used. Most of them use the OATH TOTP (Time-based One-Time Password) algorithm.
There are some softwares for you.
More detailsGoogle Authenticator: Android, iOS
Duo Mobile: Android, iOS
Microsoft Authenticator: Android, iOS
Free OTP: Android, iOS
Authy: Android, iOS, Windows, macOS, Chrome
Yandex.key: Android, iOS
Aegis: Android
When using those apps, there are mandatory steps to do: backup 2FA codes (to recover later if your phones / devices broken and can not be prepaired), and test the validity of those backup codes (make sure that you make good backups and they can be used to recover).
Some people don't know these two important and vital steps. They activate 2FA on their accounts, enter 2FA codes to apps, but don't back those codes and don't test backup's validity. If their devices are stolen or broken, they get troubles.
Some advice for 2FA- Make backups of 2FA codes before activating it
- Activating it by manually entering 2FA codes, don't scan QR code.
Because when you entering 2FA code manually, you also check the validity of your code backup.
If your code backup is not correct, you can not activate the code for your account.
- Retest code backup on another device if possible.
- Don't take a photo and store code backup on your device. There are risks that your devices can be compromised and photo or backup will be leaked.
- Install 2FA app on your another device, and it should mostly be offline. Don't store all eggs in one bag.
Remember that there are two layers of backup: backup codes, and 2FA secrect key (or bar code). I advise you to do backup for both of them, or if you choose only one to backup, it should be 2FA secret key, not barcode. With secret key, you will be easier to guess if character, figure are blurred a little bit but with bar code, it is almost nothing to do. Of course, saving 2FA secret key backups as best as possible is the must thing to do.
Store them offline.Backup codes
2FA secret keys
FIDO U2F hardware authenticators: YubiKey and others