Enabling 2 Factor Authentication (2FA)

Submitted by Peter on Fri, 24/02/2017 - 00:00

As you are potentially going to be making skills that may store information about customers it is a wise idea to ensure that you protect your accounts as much as possible. Using a username and password is not always enough, sometimes we should add extra protection.

So how do we add extra protection? Firstly it is beneficial to use a strong password but as Yahoo users have discovered recently this is not always enough, if the attacker finds other ways into the service the strength of your password is not always going to protect you. Something that will afford greater protection is 2 Factor Authentication (2fa).

What Is 2 Factor Authentication?

Traditional login methods rely solely on a username and password. This is what is known as 1 factor authentication. So what is a factor? In this context a factor is a term that reflects where information is obtained that the login service uses.

  • Something you know (such as your username and password)
  • Something you have (such as your mobile)
  • Something you are (such as your fingerprint)

Now you may think that a login using a username and password is 2 factor as it is 2 pieces of information, in this case you would be wrong. As both come from the category something you know this is in fact 1 factor.

To have true 2 factor authentication you must have details from 2 different categories. Amazon does this by relying on either SMS or an authenticator app. This satisfies another category which is something you have (your mobile), so coupled with your username and password we have now satisfied 2 factor authentication.

How Do I Enable 2 Factor Authentication?

Amazon do not make an option available within the developer platform to enable 2 factor authentication but luckily if you enable 2 factor authentication on the Amazon account itself it will also protect the developer account.

To do this we must firstly login as normal onto Amazon. Once logged in hover over ‘Account and Lists’. You should now see a series of sections. Scroll down until you locate the ‘Settings’ box and click on ‘Login & Security Settings’. It is likely at this point that you will be asked to login again. After you have re-entered your login details you will be presented with a summary page with a series of edit buttons. The bottom option is for ‘Advanced Security Settings:’, click on the edit button that corresponds to this.

We have finally made it to the 2 factor authentication page. Now let’s get started enabling it. Click on the Get Started button.0

AuthenticatorOn this new page you are presented with 2 possibilities. You can use SMS however SMS is now highly frowned upon as in reality it is not secure. What we will use instead is Authenticator App so click on the radio button for Authenticator App. You will now be presented with a curious bar code looking box. This is what is known as a QR code and will save us manually typing details into our chosen app. The page does give some suggestions on the apps that you can use. Personally I like the Authenticator app from Lastpass. This is available on Android, iOS and Windows. Download the app using the links on the official page. Once downloaded you will be presented with a screen similar to that on the right (except I already have sites setup). You will notice the + symbol on the bottom right hand side. Click on this and 2 option will appear, select ‘Scan Barcode’. You will likely be asked for permission to access the devices camera, you should allow this.

Once you have scanned the QR code you will notice that you have a new item in the list, this will be for Amazon, you will notice that it has your email address below it, this is handy to identify which account it is for if you have more than 1 account. You will also notice that there is a 6 digit number (as well as a timer in the form of a circle, when this fills a new number is generated), this is the number we are required to enter into the box under the QR code on Amazon.

Now that we have the code enter this into Amazon and click ‘Verify Code and Continue’. Provided you entered the correct code you will then be prompted to enter mobile details or a landline number, as mentioned SMS is insecure but to be honest so is calling a landline therefore this option is entirely a preferential option that you would decide upon. This would only however be used IF you are unable to use the authenticator app for whatever reason. Whichever option you decide upon you will receive a code, enter this and click the button.

Lastly you will be presented with some information regarding logging in with applications that cannot display a page to capture the code, read this and make sure you understand it. You also have the option to disable 2FA on your personal devices. I would highly recommend leaving this unchecked. Once you have read and understood the page simply click on ‘Got it, Turn on 2 factor authentication’

2fa AmazonNow whenever you log onto Amazon you will see a further step asking for the 2 factor code, simply go into the authenticator app and enter the code that displays. Your account is now much more secure, even if someone manages to obtain your username and password they would still not be able to get into your account unless they can also access your phone.

What Are The Potential Pitfalls Of 2 Factor Authentication?

There are a couple of pitfalls of 2 factor authentication. The first of those is the inconvenience. Instead of relying on the username and password you also have to have your mobile to hand to log into the service. If you do not have your phone available you cannot login essentially locking you out of your account until you can retrieve your mobile.

The 2nd and more troubling pitfall is the event that you no longer have access to your phone (if it is stolen or lost for example). If you chose to use an authenticator application as suggested you will no longer be able to generate the one time password. This will lock you out of the account. This is overcome however as they can send a backup code to you via SMS or a voice message (whichever you selected as the backup).