How StandardNotes Solves 2FA
November 12, 2019•584 words
Two-factor authentication has been around for quite a while now and I guess almost everybody who spends some time on the internet has already encountered it in one form or another.
The basic idea of 2FA is to increase the security of your account by forcing you to authenticate yourself using a second factor. This is normally done by requiring you to enter a code that you received via a different channel. So far I've encountered three different ways to retrieve said codes:
- Using an application that supports the one-time password protocol (OTP)
- Sending you the code via text message
- Sending you the code via e-mail
Arguably the best option is to use the OTP protocol, as it is more secure than either of the other two and cheaper than sending a text message. In fact, the cost of text messages is probably the reason why I've only seen this option on really popular sites (e.g. Facebook), although most of those additionally offer authentication via OTP. The option to retrieve the code via e-mail is interestingly the only option for 2FA on GOG, I'm still not sure why they did it that way.
All of the smaller websites implementing 2FA are solely using the OTP protocol. As it is an open standard, there is a vast array of different OTP applications, the most popular one probably being the Google Authenticator, but there are also opensource solutions like FreeOTP, which is developed by RedHat.
Once you've setup the OTP app, it will continuously generate new codes for you, so the next time you want to sign in you will have to check the currently valid code and enter it in order to complete the login.
Now to the tricky part: as your codes are solely generated by the OTP application, this inherently means that once you break the device or you simply uninstall the app, your 2FA is gone for good. You have to use one of the backup codes they've provided to you so that you can sign in again and then reconfigure your app.
That's exactly the reason why I haven't been using 2FA to its full extent. Since I'm working as Android developer and I'm trying out different custom roms from time to time, I regularily reset or break my phone. I don't really mind, that's just the way it is, but setting up 2FA again was actually one of the worst parts. That's why I even changed my 2FA method to text messages on Facebook, as I just didn't want to set it up each and every time.
StandardNotes, an awesome, encrypted note service, now recently added a new extension called TokenVault, which exactly solves this problem. It basically adds an OTP client on top of their end-to-end encrypted service, which shows you those one-time passwords that you need. Synchronisation across devices is automatically handled by their service, so you can use it on your PC as well as on your mobile phone, resting assured that only you can access those codes (they've completely opensourced their code).
To me this is likely the ideal solution, as it allows me to graciously break my devices, without loosing access to my online accounts. In fact, I can still access my web accounts without having access to my phone at all, as having access to StandardNotes' web client is sufficient.
Now I'm only waiting for somebody to implement a bookmark manager on top of StandardNotes..