I use Microsoft Authenticator, which is capable of receiving push notifications from personal and business accounts on Microsoft's platforms, as well as 1Password, which integrates 2FA support. The Microsoft Authenticator app is also available on both Apple App Store and Google Play Store and uses the same standard as Google Authenticator. Authy, the third most popular 2FA app is also available for both iOS and Android smartphones. In 1Password password manager, 2FA support is built into the app on all platforms. Two-factor authentication provides an extra layer of protection for your 1Password account. If you have a U2F-compatible security key, you can use it as a se.
PayPal has now added 2FA, so this info is no longer needed. Kept for posterity.
Two-factor authentication today is a must to keep your online accounts safe. You certainly want to keep your PayPal account safe. Using SMS to add an extra
Software Installation
First, we need to install some software. I’m using a Macintosh, and these instructions should work under Linux.
First, you need to install the Xcode command line software. Just open the Terminal application that you can find in the /Applications/
Start it and enter:
This command installs the necessary tools for the rest of the installation.
Now, let’s install the actual tool that creates the key.
Enter the following into the terminal application:
I had to replace pip3 with pip on my installation, but I have many changes in my Python setup, so that may be the reason why pip3 didn’t work on my Mac.
You need to install a software called HomeBrew.
Just enter the following in the Terminal window and press return:
Now we can use Brew to install the rest of the software needed.
Just type the following into Terminal and press enter:
That’s all the software you need. Now let’s continue.
Creating Two-Factor Authentication Key
Let’s continue in the Terminal application. We first need to create a key. This key will be used to generate all the six-digit authentications later.
Enter this into Terminal and press return:
This will create a unique key and store it in a hidden folder in your home directory.
The output from the command should look something like this.
Generating request…
Fetching provisioning response…
Getting token from response…
Decrypting token…
Checking token…
Credential created successfully:
otpauth://totp/VIP%20Access:VSSTXXXXXXXX?digits=6&secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&period=30&algorithm=SHA1&issuer=Symantec
This credential expires on this date: 2022-02-12T02:26:33.767Z
You will need the ID to register this credential: VSSTXXXXXX
You can use
as would be produced by the official VIP Access apps:
oathtool -d6 -b –totp XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # 6-digit code
oathtool -d6 -b –totp -v XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # … with extra information
Your information is going to look different. The X:ed out in the above output is my key, so I’ve obscured it with X:es. You are going to need this information later to create the key required for PayPal. It’s a good thing to save this output, so copy the text from the Terminal application and paste it into the “Notes” field of your PayPal password inside 1Password.
PayPal Settings
Now it’s time to log in to PayPal and do some changes.
You need to login to your PayPal account. Go to your account setting, and click on “My Settings”. Click on “Update” under the section “Security key”.
Click on “Activate a new security key token.” See picture below.
In the field “Serial number”, enter the key from the output in the Terminal application called “You will need the ID to register this credential:”
It starts with VSST and has six digits after it. Copy it complete with VSST and the six following numbers. Paste it into PayPal’s field “Serial number”
In step 2 on PayPal’s setting, you should input a 6-digit code, but you need to create one first. Copy the command you got from the Terminal output when creating your key. It should look something like this:
oathtool -d6 -b –totp XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # 6-digit code
Paste it into the Terminal application and press return.
This will display a six-digit code. Just copy the generated code from your Terminal window into the first 6-digit field.
Now go back to the Terminal application, and repeat the command. The easiest way is to just press the up-arrow on your keyboard, which should fill in the command you just entered automatically. Press return. If the six-digit key is the same, just keep repeating the command until you get a new unique key. Copy that key and paste it into the field “Next 6-digit key” on the PayPal web page.
Now press activate on the PayPal page and if everything worked out, you should now have a security key completed in PayPal.
Let’s move on to 1Password and make it automatically generate the two-factor authentication for your PayPal password.
1Password Two-Factor Authentication For PayPal
Open the 1Password application. Search for your PayPal password in the search field. Select the PayPal password and press the “Edit” button in the lower right side of the 1Password window.
1password Google Authenticator
Now press the circle with three dots inside to add a new field. Select “One-time password” as the field type.
You now have a One-Time Password field, but you need to add the secret key into this field. Copy the information Credential created successfully: you got earlier when we created the key in the Terminal application. It should look something like this:
Now all you have to do is to paste the entire line into the “One-Time Password” field inside 1Password.
Press save in 1Password in the lower right side of the window.
Let’s try it out!
If you added the field described above, as a result, you should now have an indicator showing a timer and a six-digit generated key on one of the lines of information in 1Password for your PayPal password.
If you’ve have done all of the above and everything worked, you are now ready to try it out. Log out of PayPal, and try to log in again using 1Password. It should automatically fill out the password and then copy the generated six-digit key into the clipboard. Paste the six-digit key into the field when PayPal ask for it. You should now be logged in.
Conclusion
If you think that this was a lot of stuff to do just to get better security in PayPal, you’re absolutely right. Send an email to PayPal and ventilate your anger. If they just used normal 2FA-encryption you wouldn’t need all this work. But if you managed to get through all this, give yourself a pat on the back. You just made your PayPal much safer and also gives you a more
I’ve used Authy for several years to generate mytime-based one-time passwords(TOTP)for two-factor authentication(2FA). For variousreasons, I recently migrated to using Bitwardeninstead.
Google Authenticator Issues
Many services recommend using GoogleAuthenticator for 2FA. Ioriginally used it before switching to Authy, but I switched for a reason thatis still valid today: it doesn’t have any sort of backup or syncingfunctionality.
Check out thereviewsto get a sense of how often people get burned by switching to a new phone forwhatever reason and realizing they’ve lost all their codes or need to go througheach service one by one and set up 2FA again.
1password Add 2fa
Google Authenticator is also a neglected app. The Androidappwas last updated on September 27, 2017, and the iOSapp was lastupdated on September 12, 2018. You could argue that these are relatively simpleapps that don’t need frequent updates, but take a look at what other apps likeandOTPand Aegis offer in terms of functionality that GoogleAuthenticator doesn’t have, like being able to search for a service instead ofhaving to scroll though the entire list to find it.
Authy Issues
While I have happily used Authy for several years, I also have some issues withit that caused me to look for a replacement.
No Browser Extension
Authy doesn’t have a browser extension forFirefox, my primary browser. This is aproblem because an extension can offer some protection againstphishing, one of the main securityweaknessesof using TOTP for 2FA. If the extension fails to find an entry that matches thecurrent domain, that can alert me to a possible phishing attempt.
The Chromeextensionalso hasn’t been updated in two and a half years and will no longer besupported goingforward.
No Web Client
Authy doesn’t have a web client. While this could be considered a securityfeature, I’d rather have the option to access my codes through any browser in anemergency. It’s a security vs. usability tradeoff that I’m willing to make.
No CLI Client
Authy doesn’t have a CLIclient. I have some ideas for personal browser automation projects that could beeasier to implement with programmatic access to my TOTP codes.
Mac CPU Usage
I use the Mac desktop program, but when it has a code open, the program usessignificantly more CPU. Here’s the CPU usage when it’s just displaying the listof services.
And here’s the CPU usage when it’s showing the TOTP code.
Since I don’t want the program to unnecessarily drain my laptop battery, I tryto remember to press the back button after copying the code. There’s no optionto automatically go back on copy or to just copy the code from the list viewwithout even seeing the code.
Authentication and Recovery
When you create an Authy account, you have to provide a phone number rather thanan email address or username. I didn’t like this to begin with since I want asfew things tied to my phone number as possible, given how often phone numbersget hijacked.
Authy thenencouragesyou to add the app to your other devices and then disable the multi-devicefeature. This means that your codes will keep working on your existing devices,but to add Authy to a new device, you need access to one of your old ones totemporarily re-enable multi-device and to grant access to the new device. If youdon’t have access to an old device, you have to go through a 24 hour accountrecoveryprocess.
However, I want to be able to regain access to my 2FA codes, even if I’ve lostaccess to all my devices. For example, I could be in a foreign country withoutmy laptop and then lose my phone. I want to have a good contingency plan forthis kind of situation.
Note that Authy doesn’t support an account level password. It does support apassword for your encrypted backups, but you don’t enter that until after youlog in.
Authy also doesn’t support TOTP codes orU2F security keys forprotecting itself. Its sole authentication mechanism (beyond account recoveryprocesses) is access to an old device.
Yubico Authenticator
I considered using my YubiKeys to generate TOTP codesusing YubicoAuthenticator,but a YubiKey can only store32TOTP secrets, and I already have 49 of them since I enable TOTP-based 2FAwhenever possible.
Bitwarden
I currently use LastPass to manage my passwords,but I am going to switch to 1Password soon. I decidedto use Bitwarden as well but solely for TOTP codes. 1Password can also handleTOTP codes, but I am willingto deal with the hassle of having two password managers to avoid using the sameservice for both passwords and 2FA.
By using a password manager for TOTP, I get broad cross-platform support with aweb client, browser extensions, desktop programs, mobile apps, and even a CLIclient. I also get standard authentication mechanisms, including 2FA support.
This does mean that I am treating my TOTP codes more like secondary passwords(something Iknow)rather than as something Ihave.Authy’s requirement to have access to an old device better fits the latterprinciple. This is a deliberate choice on my part.
Note that Bitwarden requires a premium account that costs $10 a year in order togenerate TOTP codes. A premium account also adds U2F support, which I wanted aswell.
Authentication Strategy
U2F support is the last component of my authentication strategy. Going forward,it will be like this: I’ll store passwords in 1Password and TOTP secrets inBitwarden. I’ll use separate, high entropy masterpasswords that will only exist in my head.
1Password requires a secret key inconjunction with the master password in order to log in on a new device. Since Ican’t memorize it, I plan to store my secret key as a staticpasswordon my YubiKeys. This means that if I touch the metal contact for a few seconds,it will type out the secret key for me.
For both services, I’ll add all my YubiKeys for 2FA. This means that all I needis one of my YubiKeys (one of which is on my keychain) and the master passwordsin my head to regain full access to all of my accounts.
However, I can’t guarantee that I’ll be able to use my YubiKey on every device.For example, Bitwarden doesn’tsupport U2F inits mobile apps. I would also be paranoid about feeling like I need two YubiKeyswhen I travel in case I lose one.
1password 2 Factor Authentication
My plan to deal with these issues is to also set up TOTP-based 2FA for both1Password and Bitwarden. I’ll print those TOTP secrets, along with the 1Passwordsecret key, on a small card and laminate it. I can make multiple copies to putin my wallet and my bag. Sometimes being overly prepared is fun in itself, eventhough it might be overkill.
Migration
To migrate to Bitwarden, I went through my Authy list one by one. In theory, I’dbe able to just copy the TOTP secret to Bitwarden, but Authy doesn’t expose thesecret.
For each account, I logged in and reset 2FA to add the secret to Bitwarden. ThenI deleted the account from Authy. Authy marks it for deletion and then waits 48hours before actually deleting it in case you made a mistake.
I did have trouble with adding some services, such asAlgolia and npm, that onlyshow the QR code and don’t have an option to display the TOTP secret. The QRcodes encode URIs that look like this, asdocumentedin the Google Authenticator wiki:
I tried using my phone camera’s built-in QR scanner, but I couldn’t see the fullURI and opening it would open Authy, with no other option. I used GoogleLens instead to grab the secret. In retrospect, I wasonly having trouble because I was adding the services to Bitwarden through thebrowser extension. I should have installed the mobile app from the beginning andused that because it has an option to scan QR codes.
I also had trouble with adding Twitch, which has aspecific integration with Authy instead of providing a generic QR code. To getaround the issue, I followed thisguide.You can use the deprecated Authy Chromeappto retrieve the TOTP secrets and configurations. This method entails usingChrome’s developer tools to execute customcode toprint the information.
This revealed that Twitch uses 7 digit codes instead of the standard 6 and 10second intervals instead of the standard 30.
At this point, I thought I hit a Bitwarden limitation because I mistakenlyassumed that the extension would only take the TOTP secret in the authenticatorkey field.
However, I discovered that Bitwardensupportsputting the full URI with configuration into that field. I tested it and wasable to log in to Twitch using the code generated by Bitwarden.
Conclusion
Migrating to Bitwarden took me about a full day, but I’m happy with the result.I’ve been using the Bitwarden browser extension to log in to accounts for thepast week, and it is much nicer than using the Authy desktop program. Next up ismigrating from LastPass to 1Password.