If you’ve logged into the System for Award Management (SAM) at all in the past 14 months, you know that it’s a bit more challenging to log in than it used to be. This is for your own protection, but all these extra layers of security can seem pretty daunting, especially if you aren’t comfortable working with computers. I’m going to try to explain what the extra steps are all about, and hopefully teach you a thing or two about the various authentication methods available to you.
- Lastpass Google Titan Key
- Google Titan Lastpass Login
- Google Titan Key Lastpass
- Lastpass And Google Titan
- Lastpass Google Authenticator
- Download Lastpass Google Chrome Extension
Google Titan Security Key Bundle ($50) Security Key by Yubico ($20) To add your security key to login.gov, select “security key” as your authentication method. You will be prompted to create a nickname for your security key. Next you will be prompted to plug it into an open USB port on your computer to link it. Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for. Namaskaar Dosto, yeh ek bahut hi important video hai jaha maine aapse Account protection ke baare mein baat ki hai, yaha humne discuss kiya hai two factor au. Titan Security Keys can be used to authenticate to Google, Google Cloud, and many other services that support FIDO standards. Optional enforcement on Google Cloud Available to Google Cloud customers, security key enforcement allows admins to require the use of security keys in their organization. A U2F security key, like YubiKey or Titan To sign in to your account in the 1Password apps or in a browser without U2F support, enter a six-digit authentication code from your authenticator app. If you lose access to your security key. If you lose access to your security key, you can still sign in to your 1Password account: On 1Password.com.
A little over a year ago, the U.S. General Services Administration implemented a new login process for SAM. After June 29, 2018, everyone was required to log into SAM through login.gov, a federal website that gives the public secure and private online access to participating government programs. With one login.gov account, users can sign into the websites of multiple government agencies. login.gov uses two-factor authentication and requires stronger passwords that meet National Institute of Standards of Technology requirements for secure validation and verification.
As the name implies, two-factor authentication (sometimes called 2FA), requires two different methods to sign into an account. Usually this means entering a memorized password (the first “factor”) and a unique code sent to a device that you own (the second “factor”). Requiring two methods makes breaking into your account much harder.
When GSA began using login.gov for SAM, users only had to set up one authentication method in addition to their password. A personal key (a 16-character secret code) was also generated for all users, and users were instructed to print out the personal key and keep it in a safe place in case they ever lost access to their authentication method. Since then, the login.gov team has discovered that personal keys have not worked well for users, so they have begun retiring them as a form of two-factor authentication, and users are now required to set up two two-factor authentication methods when you create a login.gov account.
Here are the choices you have for authentication methods in login.gov:
- Text message (SMS)
- Phone call
- Authentication application
- Security key
- PIV/CAC card
- Backup codes
I’ll cover each of these in more detail below.
Text message (SMS)
This is the first choice for most of my clients, and for good reason. 96% of Americans own a cell phone of some kind, and even the most ancient cell phones can receive text messages. If you choose this authentication method, a six-digit code will be sent to you via text message after you enter your email address and password. You have ten minutes to enter that code on login.gov to authenticate before the code expires.
It’s worth noting that security experts aren’t in love with SMS-based two-factor authentication because someone could steal your phone number or intercept your text messages.
This is another authentication method that doesn’t require a lot of explanation. Instead of receiving a six-digit code via text message, you will receive a phone call. When you answer, an automated agent will speak the six-digit code to you. You have ten minutes to enter that code on login.gov to authenticate before the code expires.
If you have already used SMS as your first authentication method and you want to use the phone call as your second authentication method, keep in mind that it must be a different phone number. Since most people don’t carry two cell phones, this is likely to be a landline. If you are going to use a landline for one of your authentication methods, make sure you think about where you are likely to be when you need to access SAM. If, for example, you set up your login.gov account from your company office, but you come into your local PTAC office for help registering or updating your company’s SAM registration, you won’t be where you need to be to accept the automated call. Usually this obstacle can be overcome by having an employee or partner answer the phone and relay the code to you.
Using an automated phone call for your 2FA has some of the same security concerns as using text messaging, as phone numbers can be stolen.
Lastpass Google Titan Key
A more secure option than receiving security codes by text or phone call is to use an authentication app to generate security codes. To use this option, you will need to have a smartphone or an internet-connected tablet or computer on which you can install an authentication app. This method may seem intimidating if you’ve never used an authentication app before, but it’s really pretty simple.
Here are some of the more popular authentication applications:
- Android: 1Password, Authy, Google Authenticator, LastPass Authenticator, Microsoft Authenticator
- iOS: 1Password, Authy, Google Authenticator, LastPass, Microsoft Authenticator
- Windows: 1Password, Authy, Microsoft Authenticator, OTP Manager
- MacOS: 1Password, Authy, OTP Manager
- Web browser extensions: Authy
After downloading one of these applications to your device, you will need to set it up to work with login.gov. To do that, you will need to either enter a key provided by login.gov into your app or scan a QR code displayed on login.gov with the app and the camera on your phone or tablet. This will associate your authentication app with your account.
The next time you log into login.gov, you will be prompted to enter a code from your app after you enter your email address and password. You will open your authentication app, look at the code for login.gov, and enter it on login.gov. These codes expire quickly, so you must act fast. Keep that in mind if you are trying to log into SAM from your tablet or smartphone and hoping to use the authentication app on the same device. Some of the apps do allow you to copy the code to your clipboard so you can easily paste it into login.gov, but if you aren’t very adept at switching quickly between applications on your device, this may still present a challenge.
A security key is an authentication device that strengthens account security when used in addition to a password when signing in. Using a security key is better than receiving codes via phone call or text message because these codes can be phished or intercepted. When you use a security key to sign in, the key will check to make sure you are on the official login.gov website.
A security key is usually a piece of physical hardware, like a USB, that you can carry on your keychain. You can also use supporting software, such as a web browser extension or other services. When choosing a security key, look for compatibility with the FIDO standard. Here are two of the most popular and affordable security keys:
To add your security key to login.gov, select “security key” as your authentication method. You will be prompted to create a nickname for your security key. Next you will be prompted to plug it into an open USB port on your computer to link it. Once that’s done, all you do for future logins is plug your security key into the USB port when prompted.
If you don’t know what a Personal Identity Verification (PIV) card is, you probably don’t have one. A PIV card is a “smart” card, about the size of a credit card, that enables federal employees and contractors to gain physical access to buildings and controlled spaces. It is also used to control access to various federal information systems. The Common Access Card (CAC) is what the Department of Defense calls their PIV card.
If you are not a federal employee and you do not have a current contract that requires you to have a PIV/CAC card, you cannot get one, so you would not be able to use this authentication method.
If you have a PIV/CAC card, you will need a card reader and middleware that works with your computer to use this authentication method with login.gov. If you have a PIV/CAC card that you use for physical access, but you have not yet set it up for online access, go to the GSA’s “Getting Started” page at idmanagement.gov to learn how to do this.
Backup codes are not very safe because they can easily be lost or stolen. If you choose this option, login.gov will generate ten codes that you can download, print, copy or write down. Every time you log into login.gov, you will have to enter one of these codes (after entering your email address and password). After you use the 10th code, you will be given a new set of backup codes to save and use.
If you don’t have access to any of the other authentication methods, you can use only backup codes, but this is not recommended. If you ever lose your backup codes, you will not be able to sign in to your account.
Which methods to use
If you don’t have a PIV or CAC card, the two strongest authentication methods are the security key and authentication application. If you don’t want to spend any money on hardware, or you don’t own a smartphone, the phone call and text message are satisfactory alternatives. Backup codes should be used as a last resort.
If you have questions about any of this, or want assistance getting registered at login.gov, please contact your nearest Montana PTAC office.
Portions of this post were taken from the help pages at login.gov.
Starting at the end of January 2019 UCSD requires every employee to have activatedtwo factor authentication.
Go over to https://duo-registration.ucsd.edu to register your devices andhttps://twostep.ucsd.edu to read more details.
Google Titan Lastpass Login
Here some suggestions after I have used this for a few months.
Google Titan Key Lastpass
The most convenient option is definitely to have the Duo application installed onyour phone, so that once you try to login it sends a notification to your phone,you click accept and you’re done.
Second best is to use the Duo or the Google Authenticator app to generate codes,then you can copy those codes into the login form, and this is anyway useful forVPN access, you choose the “2 Steps secured - allthroughucsd” option, type yourpassword followed by a comma and the code, otherwise just the password and get apush notification on your primary device.
Then you can just add a mobile number and receive a text or add a landline andreceive a call.
Lastpass And Google Titan
I also recommend to buy a security key and add it as a authentication optionat https://duo-registration.ucsd.edu, either Google Titan or a Yubico key (I have a Titan), you cankeep it always with you so that if you don’t have your phone or the phone batteryis dead, you can plug the security key in your USB port on the laptop and click onits button to authenticate.
Anther option is to request a fob token, a device that generates and displays timed codes and thatis independent of a phone, see instructions on the UCSD website. They say there are only a limited number available and you needto be prepared to justify why you are requesting one.
Now that you already have Duo installed on your phone, I recommend to also activatetwo factor auth on all other services:
Consider that most of them just request the second step verification if you are ona new device, so you need to do the verification just once in a while and it providesa lot of security. Many of those also support the security key.
Password handling with Lastpass
Update October 2019: Fed up of using Lastpass, their interface is clunky and slow, both in Chrome and Android, I switched to Bitwarden. Way better, it also allows sharing with another user, only downside is that the do not offer Duo push 2FA for free, you need premium, but still supports using Duo as a token generator.
As you are into security, just go all the way and also install a password manager.UCSD provides free enterprise accounts for all employees, see the details.
With Lastpass, you just remember 1 strong password to descrypt all of your other passwords.If you ever used the Google Chrome builtin password manager, this is way way better.
You install the Lastpass extension on your browsers and the Lastpass app on your phone.
Lastpass Google Authenticator
The only issue with Lastpass is that by default the Lastpass app on the smartphone automaticallylogsout every 30 minutes or so, so you have to re-authenticate very often. This is due to UCSDhaving configured it too strictly. I recommend to have a personal account and save all of the passwordsin the personal account and then link it from the Enterprise account.Now from the desktop/laptop browsers you can use your Enterprise account, from the smartphone app insteaduse the personal account.
Download Lastpass Google Chrome Extension
You can also automatically import your Google Chrome passwords into Lastpass.
Now you have no excuse to re-use the same password, automatically generate a 20 char random password and save it in Lastpass.
Save one-time codes
When you activate two factor auth on Google/Github and many other services, they also give you some one-time codes that you can use to login to the service if you do not have access to your phone, you can save them as “Notes” into the related account inside Lastpass.
Activate 2 factor auth for Lastpass
You should also activate 2 factor auth in Lastpass, it also supports Duo so the configuration is similar to the configuration for UCSD. Only issue is that they do not support a security key here, so you can only add your smartphone.