In this day and age, multi-factor authentication has become a key tool in our toolbox to prevent unauthorized access into our accounts. Any service that offers the feature, even if it isn’t enforced, should have this feature enabled. Granted, it’s a pain to have to jump one more hoop in order to get into a site or service, whether it be your email or your Candy Crush account, but it’s important either way.
Regardless of how harmless you feel a website may be, if your account or the service itself is breached, your email address and at least a hash of your password is stolen, if not your payment information and any PII (personally identifiable information). Your email address is often half of the credentials needed, and if you reused your password elsewhere, your hacker is in luck.
Still, pulling out your phone to sign in is a pain…
I recently switched to Bitwarden from LastPass, as many others have been in droves, since LastPass had repeatedly received a black eye for poor security practices. One of my favorite features of BitWarden is the ability to get not just your username and password, but your OTP or one-time passcodes, as well. In fact, on the mobile device, once you use BitWarden to fill your password, it copies the OTP to your clipboard to save you from going back and forth. LastPass Enterprise offers OTP functionality, but it isn’t this convenient!
No more pulling out the phone to open Google Authenticator, Microsoft Authenticator, Battle.net, Authy, Okta Verify, LastPass Authenticator, etc, etc, etc. No more losing all my OTPs when I lose my phone in the lake. Thankfully, more recently, Google has begun syncing OTP data.
All my eggs in one basket?
Sure, all my secure data is in one place… but, it’s protected by a very secure pass phrase, multiple words strewn with symbols and numbers being the current best practice for passwords, as length is more detrimental to brute force attacks than complexity. Additionally, it’s got its own OTP and biometrics to protect it. You shall not pass – unless I give you the finger!
My favorite website only gives me a QR code to scan
So, how do we get the preshared key used to generate those seemingly random six-digit codes? Often times, a website gives you a button or link that states “I can’t scan the QR code”, and it in turn gives you the string of text to copy down into your OTP app. Sometimes they don’t.
In Chrome, we can ask Google to read the QR code for us, and spit out the text it sees.
That’s all there is to it!