Recently I got a couple of alerts in an email account. Someone was trying to get into my BestBuy account. If I ever purchased anything from BestBuy and used that email it was prior to 2007. Even so, I did the password recovery for it, and then I protected the account using a two factor authentication tool called Authy.

You can never really be safe online, but you can be more trouble than you are worth. Let’s get you there.

Attention Conservation Notice: If you’re already protected, good. If this post is just barely English you have a choice – read and heed now, or pay a terrible price at some point in the future.

Factors:

Passwords are single factor authentication. They can be guessed. Some service you signed up for and promptly forgot can get hacked and then your email and associated password are on the loose. If you reused a password, look out.

A password is something you KNOW, an Authy install is something you HAVE, and the next level is biometrics – something you ARE. Some phones support fingerprint readers. I don’t do this because there’s no 4^th Amendment protection there – you can be made to fingerprint a device.

I haven’t used three factor since I worked in a datacenter that had handprint scanners on the doors. I think some of the phones I have now support fingerprint reading, but I’ve literally never even tried, it’s a hazard based on my threat model.

Authy Specifically:

Two Factor Authentication (2FA) for the masses started with SMS based passcodes. This is deprecated now – too many cryptocurrency holders who let the world know their actual carrier number, instead of a Google Voice, have lost their fortunes to SIM swap attacks. I think it’s still safe if your SMS number is a 2FA protected Google Voice, but that’s esoteric and situational. If you can’t explain precisely why you are doing it, then don’t.

Authy is a form of Two Factor Authentication. There are stronger forms that involve the use of FIDO2 physical keys but that has a cost, a learning curve, and it’s complex when phones are involved. Given that Authy works on Android, IOS, Linux, macOS, Windows, and it’s free, there’s no reason for the majority of us to go any further than Authy.

Authy is a One Time Password (OTP) generator. You set your online accounts up to use it, you scan a QR code they offer using the Authy app, and then it will produce a six digit time dependent code that changes every thirty seconds.

Once you have Authy on your phone, there are desktop clients for every operating system. If you have an old phone or you decide to buy a burner, you can configure that for the same Authy account, and if your laptop and phone are both lost or stolen you won’t be locked out. Fair warning here – Authy does get fussy about stale devices, so you should use your backup device every couple weeks to ensure it’s still trusted.

Authy will want you to set a passphrase to protect your accounts. This will let a stale device be reverified. I have only encountered this situation once, when I fumbled a compartement by recycling the phone with Authy on it for another job. I got it back, but it was a tense half hour in which I used a lot of driving words.

Driving words … a phrase you will hear from me periodically. My ex-wife had a terrible potty mouth that peaked when she was behind the wheel. When our kids were little they learned there were certain words that were only to be used by the person driving the car.

Persona Time:

Anyway, that’s that. Here is a useful way for you to get into Authy without locking yourself out of your existing digital shadow.

• Get a minimal burner, Tracfone Samsung Galaxy A03s are $50 on Amazon.

• Get a one year 1200 minutes/1200 texts plan for $60.

• Create a new Gmail with the device.

• Get a Google Voice number to go with the burner number.

• Use the Google Voice number to sign up for Authy on the phone.

• Install the Authy desktop client.

• Protect the Gmail with Authy.

• Get ProtonMail and protect with Authy.

• Get Dropbox and protect with Authy.

• And get whatever other accounts you might use.

And that is the basics of what you need for creeping around online without getting your life shredded, getting dragged into a frivolous lawsuit, or otherwise gaining directly personal experience with the legions of internet ankle biters that are out there.

What I just described is a civil process and troll resistant setup. There’s a whole additional level of butt covering you have to do if there’s a chance you’ll face criminal investigation or foreign intel attention. Hazards at that level require protecting your origin IP at all times and not getting the persona entangled with your real life. We will get deeper into that in the future, but this is scout camp, and that is boot camp.

Authy Compartments:

How many Authy accounts do you need?

The bulk of my stuff is on one account. I have a variety of Gmail accounts for various reasons, a similar number of ProtonMail, and I’ve protected ever single thing that supports 2FA. Basically everything goes in here, except …

The other Authy accounts have been what I’d call role accounts. This is not all packet and dagger stuff, if I agree to help a group get their operation secure I am liable to include a burner in the cost. The whole thing gets set up using the phone and a virtual machine. If they get stood up to the point where they’re going to go off on their own, I export the VM to a microSD card, stick the card in the phone, then box and ship it.

Conclusion:

So there you have it – two problems solved for one small expense. You get familiar with employing Authy without risking getting locked out of your long term accounts, and at the end you have the confidence to protect your real stuff AND a hardened persona you can use for poking around online.

As a fallback, just install Authy on your existing phone and work with some accounts for a persona, as above. Install Authy on your desktop, get comfortable with using it in a non-threatening environment. Then in a month or two, when you’re using it without having to stop and read, you can start moving your real stuff to it.