The Practical Guide To Mac Security: Part 4, Two-Factor Authentication

Check out the rest of the videos in this special course: The Practical Guide To Mac Security.


Use two-factor authentication to make your iCloud account and most other online accounts much more secure than using just a password.
You can also watch this video at YouTube.
Watch more videos about related subjects: Security (131 videos).

Video Transcript

Hi, this is Gary with MacMost.com. This is Part 4 of my course The Practical Guide to Mac Security. This course is brought to you thanks to my Patreon supporters. To find out more about the Patreon Campaign go to MacMost.com/Patreon. There you can join us, get course discounts, and exclusive content.
So while having strong passwords is a great way to secure any account it's not the ultimate way. A much better way is using two-factor authentication. So what is two-factor authentication? Well, normally to get into an account you've got your User ID and your Password. Your User ID is usually an email address. Now a User ID is pretty much public information. Other people know your email address. It's not a secret. So matching up an account with an email address is no problem for somebody trying to get into an account. However the Password represents the barrier. It's hard to get your Password. But it is possible. There are ways to get your password. For instance you could be logging into your account on a public computer on a public network and the password could be intercepted. Social engineering could be used to con you out of your password. Of course, you could have a weak password or maybe weaker than you thought it was password and it could be guessed and then there's access to your account. So instead of just having that one-factor of the password, the idea is to have a second factor which is usually a one time code. 
What happens here is you go to log into an account with your ID and password and then you're asked for a one time code. You have to enter that code in. That code is sent to you sometimes on your mobile phone, sometimes in an app, or in the case of the Apple EcoSystem it's actually sent to you by your other Apple devices. For instance maybe you get it on your iPhone when you're trying to login on your Mac. So in this case you've got your email address is public, your password is hard to get but possible  and this one time code is also very hard to get even though it is technically possible especially using social engineering trying to get that from you. But combined the password and the one time code are almost impossible to get. It creates quite a barrier between somebody trying to get into your account and them actually getting in. 
So what is the Second Factor? This would be a code sent to your phone, for instance. That's the classic example although it is used less and less now. So you get a text message with that code. You try to login, your phone buzzes, you look down and it says here's your code, and you enter that into the app or computer screen, or wherever you're at that's asking for the code. Sometimes this is sent by email rather than by a text message. Other times it is obtained by an app. Like, for instance, if you're going to use Goggle authenticator to log into a Goggle account, like Gmail or YouTube or something, then instead of actually having the code pushed to you you would use the Goggle Authenticator app or another app that works in that same system and you would go and get that code itself. So you go into the app and it shows that account and here's the current code. These codes are always changing so you can't just go one time to it and know the code and memorize it. It's going to be different thirty seconds or one minute later.
Also, it's important to note that there is a usually a backup second factor. For instance a backup code. If you create an account you can create these backup codes and they are usually very long codes that you wouldn't want to normally type in. Maybe you would print them out on a piece of paper and store them in a safe place. So for some reason you loose access to your second factor, like your second factor is a one time code sent to your phone, and you change phones. Like you loose your phone and get a new one and it has a new phone number and now can no longer have access to your second factor you can use the backup codes one time to get into an account. So you can reestablish things with that second factor for a new phone number, for instance, 
So what do I mean by a one-time code? Well, one-time code it could be sent by either SMS by text message or email or you obtain it in an app. It's only valid for a short period of time. So there's no point memorizing it. You're going to use it this one time to login. The next time you go to login it's going to be a different code. Even if you don't use it right there it's going to expire maybe as soon as thirty seconds from that point. Maybe it changes every minute so it could expire seconds after you see it if you're at the end of a minute. This is important because somebody can't steal your one-time code. If they steal your one-time code then you try to login, even a couple of minutes later, it won't work. It requires device access so, for instance, you know if it's a SMS code that means that somebody needs to not only have physical access to your phone but be able to log into your phone. You know if you have a passcode set on your phone. The same thing if it's sent by email. They need to log into your email account. So, even though it's kind of sent to you and it looks like you get it without any trouble somebody else trying to get it would mean they need access to whatever you assume you had access to like your phone or your email account. 
Sometimes it can be a link especially if they're sent in an email. Sometimes you get an email as your second-factor and it says click this link and basically all that's doing is entering the code for you. So you really are getting a second code there but you click it and it's automatically confirming that you had access to that second code because you clicked that link in the email. You know sometimes today, especially for lots of online accounts, the password is actually not even used. So just the second-factor. So you go to log into an account and then is says look for an email or look for a text message and click the link there. It's basically not using a password at all. Only using the second-factor. So it's relying on the security of your email account or the security of your phone for security to this account and not throwing in a password as that first-factor. So it's really one-factor but the one-factor is the code rather than a password which is actually more secure of the two since it changes all the time.
So if you don't already have two-factor authentication setup for your iCloud Account you can do that on your Mac by going into System Preferences and then go to your Apple ID. Then right here in Overview if you're not using two-factor authentication you're going to get an alert right here and the ability to turn it on right here. But you could also do it in Password & Security and then under Two-Factor Authentication you could see you could turn it on. So let's go to turn it on. The first thing you're going to be asked is for a phone number. It should be a trusted phone number. Your cell phone's phone number. Your home phone number. Something you think is going to be  somewhat permanent and this will kind of be the backup because when you use Two-Factor Authentication if for some reason you don't have access to a second device, like for instance you're trying to access your account on your iPhone while you're out. All you have with you is your iPhone and you don't have another Apple device with you to get the second factor on, then one of the things you can do is say, Okay you're going to need to send me this using the text message service of my mobile phone provider. So you can provide a phone number here and you could say I want a text message, if it's a regular mobile phone. Or if for some reason your trusted phone number is an old landline phone you'd rather get a phone call, an automated message that would read you with a computer voice the actual number to enter in. So this is your backup. So I'm going to enter in a phone number, then Continue, and I'll get the verification code to sent to that number. This is to confirm I entered the phone number correctly. This is a one time code. So for instance you can see this code. It doesn't matter. After I use it here it's not going to be something that can be used again.  So now it's confirmed that, okay there'a a valid backup way to receive codes. 
So then you continue through the prompts here to finish setting up Two-Factor Authentication. So you can see your trusted phone number is 1. I can Edit and I can change that phone number. Remove it. Add a second trusted phone number as well. So I could definitely update this. It's not permanent. If I do get a new cell phone number I can then update this. 
So as an example of using this let's say you're at another person's Mac or maybe a public computer and you want to sign-on to your iCloud Account. So in this case I'm not going to use the Apple ID that is setup right here. I'm just going to say a different ID so it's like I'm at somebody else's computer. So I'm going to go and try to login and then it's going to ask me for the first factor. The password. But now that's not enough. It needs two-factor. So what's going to happen now is I will get a code, either appearing automatically on my iPhone, so if I have an iPhone registered to that Apple ID automatically I would get a notification on that phone and it would say, Do you want to allow access to that computer, trying to get into that account at this location. I would say Yes and it would give me a code. Then I would just type the code here. This is a one time code so if you were to try to use this code to get into that same account it wouldn't work because it only works right now at about 10:46 a.m. on this particular day. I can say Trust or Don't Trust this router if I'm on a public computer. I'll say Don't Trust. So I will now be logged in but when I logout there will be nothing left over for somebody else to try to get in. So now I can access this account and, you know, work with it here. The same thing would happen in various other cases where you try to get into your Apple ID or iCloud account. It could even appear on other devices like an Apple TV if you're trying to use that iCloud Account to access content and on other types of devices as well. Anything you're logging into your Apple ID with you will have to enter in that second-factor. But once you do then you should be logged in depending upon whether you say Trust This Computer or not. You should be logged in and not have to enter it again for some period of time. So it's not something where you constantly have to enter it in. You should be just as often as you have to enter in your Password. 
So by using Two-Factor Authentication to get into your Apple ID and iCloud Account makes sense for all Mac users, you also want to use it on all third party services. So let me show you some examples of how to use it on third party services. Everyone is going to be a little bit different but let's look at doing it with a Goggle Account and also doing it with an Amazon account. 
First let's start by setting up a gmail account. Now a gmail account is really just a Goggle Account. So I'm going to sign-in here to my Goggle Account using the ID and Password that I already have setup. Next I'm going to click on my User icon here at the top right and then go Manage My Account and go to the Security settings. If I look down the list I'll find Two-Factor Authentication, although they call it Two-Step Verification right here. So I'll go and set this up and it's going to ask me to sign-in again to make sure it really is me. I'm going to start here by adding my mobile phone number. So this is one way I can get that second factor as a text message sent to me. Note that I can also select a phone call which means that I'll get an automated phone call and the number would be read out to me by a computer generated voice. So use this if you have a landline and no mobile phone. Now to verify I entered my number correctly it's going to immediately send me a text message with a number. Now at this point what is going to happen is a handy feature on macOS will kick in to make things a lot easier for me. The message will come into my phone and since I get my messages on my phone and also on my Mac then that text message is going to be recognized by the system as one of these Two-Factor codes. Then instead of having to go to the Messages App, look at that number, return to this webpage and type it in, it automatically allows me to fill it in here. So you see this little prompt and it saves me the time of having to look at that number, memorize it for just a few seconds, so I can type it in again. Now I can turn on two-step verification and I've got that setup. 
But there's a lot more that I can do. So if I scroll down I can see that one of the things I can get are backup codes. So what happens if I loose access to my mobile phone number. Maybe I change it because of a problem and they forget that I need it to be able to get these codes. Well, you can go and printout backup codes. There are just ten codes that you can use one time each. You can print them out or write them down and put them somewhere safe. In case of an emergency they can be used instead of your two factor code. So make sure you always do this when a site offers it so that you have that backup in case you loose access to whatever device is giving you your two factor codes. 
Another thing you can do is you can setup your phone to tab an app on it to get these codes without using text messaging at all. So in the case of Goggle you can get an app called Goggle Authenticator. So you can go through the steps here and it gives you this QR code. Then you want to go on your iPhone to the App Store, look for Goggle Authenticator, and get that app. Use the Plus button there and then you can point your camera at that QR code on your Mac screen and it automatically adds this to a list there. Anytime you want you can now go to this App and get the current code. It will change every thirty seconds or a minute depending upon the service and it's more secure because you're not using a third party like a mobile phone company to get your codes. You're just getting it directly into this app and, of course, only you would have access to this app because it's on your phone which is locked with your passcode.
Here's another example of setting up Two-Factor on an account. In this case it's an Amazon account. So I'm already logged into an Amazon account here. I go to Manage My Account and I look for Security. Under that I'll find a Two-Step Verification and it's actually going to perform a type of two-factor authentication right here by sending an email to my email account associated with this Amazon account. Then I have to click on a link in that email and it takes me to this page where I could approve the changes that are about to be made. So now to setup Two-Factor Authentication and just like with Goggle I'm going to provide my phone number here and it's going to be able to send me a text message. As soon as I do that it's going to send a test text message. A lot of these services, of course, want to send a test out to make sure you answer the number right before it locks the account down. With two-factor maybe you used the wrong number. So I could see that I'm able to get from the Messages App the number. It doesn't appear right away but as soon as I start typing you could see it picks it out and I don't have to type the remainder of the number there. So it makes it pretty easy to do. So here's what it looks like to sign-in to Amazon now. Go to Sign-In. Select my ID, my password. Those are all saved to my Password Manager. Then I need the two-factor code which is sent to Messages. I can add that in there or manually type it if I want. 
So you've seen some similarities and differences between how Goggle and Amazon do this. All other services are going to be kind of the same. There's going to be some things that look familiar and some things that are specific to that service. So what you generally want to do is look for your account settings, look for an area that's dealing with Security or your Password. Then look for something called Two-Factor Authentication, Two-Step Verification, or something similar to that. Then read carefully what's there. Some sites will let you use your mobile phone number to confirm with two-factor. Others may let you use an email address to do it and they'll send you an email message. Others will allow you to use Apps like we saw the Goggle Authenticator app. As a matter of fact many will allow you to use that very same Goggle Authenticator App to do it. Some services want you to use their own mobile app. For instance, you can use an app like the Facebook App to get codes for logging onto Facebook on your Mac. But you can also use other methods as well. Many have backup codes that you can get and save or print out as well. So make sure you look for that. After you do it a few times with a few different services you begin to understand what to look for and how to quickly enable Two-Factor Authentication so it's in all of your most important accounts. 

Comments: 11 Comments

    Tom LAng
    4 years ago

    Love your podcasts and tutorials. I have been a fan ever since I found you in 2013 or so.

    I agree with your ideas on Passwords. I have been caught several times trying to login on somebody else's computer and had to try to enter a strong password manually. After 20 or so tries I gave up. I was reading from my password manager and there was no way to copy and paste. This problem also pops up when logging into streaming services on TV. This is getting better though.
    Thanks in Advance
    Tom

    Russell Tolman
    4 years ago

    Love this series on Mac security.

    my only question is which Mac OS are you using for the demonstration ?

    thanks.

    4 years ago

    Russell: I always use the current macOS for my tutorials. In some cases I am showing macOS Monterey, but I always mention that.

    Kathy
    4 years ago

    Hi Gary. Excellent video's and tips as always. Thank you. Two questions please: #1- With an authenticator app like Authy, once it's set up and being used, are the codes generated by the actual app, or are they sent to your app by the service you are signing into like Amazon? #2-Is it possible to save (in Mac keychain) passwords for apps like authy that don't have a user name or website to access them from? Thanks in advance. Kathy

    4 years ago

    Kathy: The generate the codes. The idea is there is nothing for an attacker to "intercept" at any point. You can use the Keychain Access app to save miscellaneous things like passwords or even notes. But if you want more features, look to a third-party app like 1Password, which will also generate codes like Authy does.

    Kathy
    4 years ago

    Hi Gary, Just to clarify, when you said 'they' do you mean mean Authy generates the codes? Is it done directly from the app? Re keychain and saving app passwords, would that be through the secure notes feature accessible on Mac OS? Thanks for your time and for answering my questions. K

    4 years ago

    Kathy: The app generates the codes directly in the app on your device. You can use Keychain access to create password records in Keychain or secure notes, either one.

    Jacques Maurissen
    4 years ago

    How do I figure out which 2SA app works with which password manager, home security app or any other app, for that matter, that uses 2SA? Then you have to remember which 2SA app works with which one.

    4 years ago

    Jacques: it would tell you that when you set up your account, usually with any links needed. Then it would remind you when it asks for the second factor. Often you have multiple choices, like I can use 1password to get my codes for Google instead of the Google Authenticator app.

    John G
    3 years ago

    Is it true that SMS codes are the least secure and should be avoided if possible? In addition, how would you rate the 2FA (2-factor) of Apple in its implementation?

    3 years ago

    John: SMS is less secure just because there are ways to intercept SMS messages. But it is still far far better than no 2FA at all. Apple's 2FA system (I assume you mean for iCloud login) is excellent. But that doesn't matter since it isn't like there is another 2FA system you can use to log into iCloud.

Comments are closed for this post.