Npm two factor authentication

Not strictly a node-red issue, but I had an email today encouraging me to setup 2FA on my npm account. It seems this requires me to install an authentication app on my phone, such as Authy or Google Authenticator, neither of which I know much about. I would be grateful for any suggestions on this subject.

The one time pass codes are generated by a well known open algorithm so which app you install doesn't really matter. I use Google Authenticator.

Most password vault apps these days will also generate the codes for you so if you already have 1password or lastpass then they should be capable (if you don't have one of these type of app then I highly recommend them as they will generate, store and entry random passwords for you which are generally better than anything you can dream up yourself).

I would also recommend enabling 2FA everywhere you can, especially things like GitHub, Google Account and Social Media platforms just as a matter of course.

2 Likes

I do use 2FA on many accounts, this is the first time that I have had to install an app on the phone to do it.

I may be mistaken, but didn't @knolleary have problems with 2FA when he changed his phone...
(I also use 2FA on most of my accounts, but mostly using text alerts)

I think in most cases, you have to reconfigure (re-link the phone) if you change the device. Also, it's important to have other ways to reset your password (for example through email) in case you lose your phone/device. Else you're locked out and it might be difficult, sometimes impossible to get access again.

And to make it a topic which fits in this forum .. is there a way to activate 2FA in Node-RED? :nerd_face: Apparently, it is.

Yes, when you set up 2FA on npm you are invited to download & store a number of backup codes, just in case of future such problems.

All of my own doing. The Google Authenticator app has an option to migrate between devices with a minimum of fuss. I didn't know it had that option so went through a lot of unnecessary fuss.

This is why I have now moved to a paid version of BitWarden which includes authenticator TOTP codes and syncs across devices. It is wonderful to be able to auto-fill the id/password login and then just hit ctrl-v on the next input field that requests the code because BitWarden has already copied the code to the clipboard for you :slight_smile:

BW is also a LOT more stable than LastPass which I always used previously.

It is also nice to have the codes sync between multiple phones and to be able to share them with family members as needed. And to have them on the laptop for those days when you went to the office with your laptop but neither of your phones! (yes done that a few times and been unable to do some critical tasks).

Any TOTP based 2FA should also provide you with a set of emergency codes to use in case your phone is lost/stolen/broken.

I think I've used pretty much all of the Authenticator apps now and BW is by far the most useful. Though I do retain the Microsoft one as well since you only have to acknowledge the MFA request from a Microsoft or Office 365 account login which makes life much easier, especially given how many different tenancies I have to access, each with their own MFA requests.

1 Like

I've been considering moving to the BW paid version @ $10 per year for a personal account.
I guess that if you lose/change your phone, it's simply a case of reinstalling the BW app on your new phone and logging in...

I paid for a family account and now all of us are using it. A family account lets you create groups of people and share things with them.

Yup! So simple, even my wife had no problems with it!

1 Like

I can recommend KeePass. It's free and there is a plugin which supports TOTP. Edit: Not as fancy as BW though.

Still waiting for passwords to die. Maybe they can leave together with emails.

I should have said that I also use Keepass :grinning:

I use that for a number of things:

  • Secrets that I'm not prepared to share with a cloud service
  • Complex logins such as banking that may have several steps, n out of nn questions
  • Other local secure tasks such as mounting an encrypted virtual drive

But the convenience of BW can't be beat for day-to-day web logins.

Also, BW auto syncs whereas I have to handle that myself for a Keepass DB (or use a 3rd party sync).

And most, if not all, mobile app versions of Keepass don't have the mobile integrations of something like BW.

But I certainly use both.

I guess I'm swimming upstream, but I avoid using web logins for anything "important" whenever possible.

Holy ... This is the first time I heard about it. Tested it and it works. Coool ... Thanks @TotallyInformation

1 Like

Well, it is a balance between convenience and security/privacy. I use both approaches so that I get maximum convenience (after all, most of my cloud logins are not really THAT important - it is the cloud anyway so I have to assume that in many cases the data could be grabbed from the back-end) - but keep really important things, like my finances, in offline Keepass for maximum security. :grinning:

...and speaking of the value of 2FA, I received this email tonight from Slack concerning my node-RED Slack account...

slack

Hi there,

We recently became aware from data provided by our threat intelligence partner that the login credentials (email address and password) for your rossoreed account on node-red.slack.com were reused from another service in a previously published breach. While we have no indications your Slack account has been compromised, password reuse is one of the main contributors to future account breaches.

For security reasons, we have not stored any details about the credentials that were valid for your account, so we cannot share which breach your credentials were exposed in. However, you can enter your email address into https://haveibeenpwned.com/ to get an idea of any breaches your email address may have been involved with. Please note, this list is not exhaustive.

To help proactively protect the integrity and security of your profile, we have taken the precautionary step to reset the password on your account. Maintaining the security of your team and privacy of your communications is important to us. We apologize for the disruption.

What should I do?

We recommend using unique passwords for every service you use - this is vital to protecting the integrity of your accounts. We know that this means remembering a lot of passwords, so we encourage the use of a password manager. Additionally, we recommend enabling 2FA for all of your accounts. You can read more about setting up 2FA here: Set up two-factor authentication | Slack

1 Like

:+1:

And back to BitWarden :grinning:

Fun fact, I recently had to reset a password and, just to see if it worked, I set the random password creator in BW to use 63 characters - which worked just fine - So I've left it that way :rofl:

1 Like

The issue i have with using BW for this is you are effectively turning 2fa into 1fa, since if your BW vault is compromised, all your 2fa accounts are compromised.

The idea is to authenticate using "something you know" and "something you have".

I guess if you have 2fa for accessing BW then you are kind of ok, but it feels wrong to have both passwords and TOTP codes in the same place.

These authentication methods are too complicated for normal user and most of the time tedious to use. People will always find ways to make it "easier" and less safe.

I partly agree with you @rko. The more security one aims for the more complex it gets, at least to set it up.

However :smiley: ... I was able to convince my whole family and parents in law (>70) to use a password manager in order to create complex, long and unique passwords for whatever they want to register to. And they got quite easily used to it.

The next level of security I am testing just now ist YubiKey. My hope: once set up it'll be way easier to use 2FA for accounts that should be protected that way. And it all starts, of course, with the password manager itself.