Two-factor authentication in MultiPassword

MultiPassword is a password manager that can be used not only to store authorization data from websites, but also as a two-factor authenticator. The program allows you to generate one-time passwords for many sites at the same time. Generation is carried out directly in the same storage entry where the login and permanent password from the site are stored.

The two-factor authentication function is provided in all versions of MultiPassword - desktop (program for PCs), mobile and browser (extension for Internet browsers).

How it works and the benefits of two-factor authentication

Two Factor Authentication (2FA) provides additional protection for accounts on websites. When activated, to enter your personal account, you will have to use not only your login and password, but also the code generated by the authenticator. This code exists for a short time - usually about 30 seconds. After this time, it's automatically generated again.

If the usual password can still be somehow guessed, for example, by character-by-character enumeration (sooner or later it will be guessed, because it never changes), then in the case of the 2FA code, this is almost impossible.

Today, cybercriminals do not use password brute-force methods to hack accounts on websites. Basically, hacks are carried out using "social engineering" or using phishing (fake) sites. Attackers either force the victim to give out a username and password, or deceitfully force them to enter authorization data on a fake site.

2FA technology was created to protect passwords from theft, and it doesn’t matter how exactly it is done - through a phishing site or by gaining access to a computer on which authorization data is stored in a plain text file on the desktop. The login and password will allow them to easily pass the first level of protection, but bypassing the second level will not work, because to do this, you will also need to additionally crack the 2FA authenticator. And if it is stored on a mobile device, attackers will have to gain physical access to it.

Unlike Google Authenticator, the MultiPassword mobile app has its own tamper protection. If the Google authenticator only requires you to sign in once (on Android devices), you will need to enter a password every time you launch the MultiPassword mobile app

How to use 2FA in MultiPassword?

All versions of MultiPassword, work with 2FA is carried out in approximately the same way. Here are instructions for using this technology in programs for PCs, browsers and smartphones.

Using 2FA on a computer and in a browser

The user interfaces of the extension and the MultiPassword desktop program are almost identical. Therefore, further instructions are suitable for both versions of the application.

The first step is to activate 2FA protection for the protected account, and then bind it to the MultiPassword authenticator. Consider the procedure on the example of VK.

1. In the MultiPassword program/extension, you need to create a new item to store authorization data from VK in it (or you can open an existing item, if one was created earlier by the extension). Fill in all the fields (but in general, this is optional).

2. Opposite “Additional field" press the button with three vertically arranged dots, then select the item "One-time password" from the drop-down menu.

3. Below the generated field will be displayed with the inscription "Enter the 2FA code". As long as we don't enter anything here.

4. Log in to your VK account. Next, you need to open the account settings page, go to the “Security” section in it and click on the “Enable” link next to the “Application for generating codes” line.

5. In the window that opens, "QR-code" and "Secret key" will be shown. We need a second one, because Scanning a QR from a computer will not work. We copy the secret key, but do not close the window itself.

6. Next, open MultiPassword again and paste the secret key you just copied into the additional field you created earlier. Next, click Save.

7. Immediately after inserting the key, a six-digit code will appear to the left of the additional field (marked in the screenshot above), next to which you can see a timer. Until the time is up, you need to enter this code in the "Confirmation code" field on the VK settings page and then click on the "Confirm" button.

8. If everything went well, a message will appear in the lower left corner of the VK page indicating the success of adding an application for generating codes.

Now let's check 2FA from MultiPassword:

  • Let's exit the personal account of VK in order to get to the login and password entry page. Enter the authorization data in the appropriate fields (or you can click on the avatar in the “Recently accessed the site from this computer” block, if possible).
  • After entering the login/password, we will not get to the personal page of VK, but to the page for entering the 2FA code. You will need to open MultiPassword, look at the generated six-digit code and enter it on the VK login page.

Using 2FA MultiPassword on a Smartphone

The process for setting up two-factor authentication in the MultiPassword mobile app is as follows:

1. We note right away that it is more convenient to configure 2FA protection via a PC.

2. Create a new item in the MultiPassword password vault or edit an existing one. Select the "Additional field" element.

3. In the "Field type" block that appears below, select the "One-time password" option, as a result of which a column will appear - "Field value", and on the right - an icon with a QR code image.

4. Next, you need to activate 2FA protection in the security settings of the protected account (in the instructions above, you can see how to do this using the example of VK). On the page for linking to the account of the application for generating codes, a QR code and a “Secret key” will be displayed (as it is called on VK, but on other sites it may be called something else).

5. Now in the MultiPassword application, touch the icon with the image of a QR code opposite the “Field values” column and point the smartphone camera at the QR code that is displayed on the computer screen (you must first provide access to the MultiPassword application to the phone’s camera). You can also enter in the "Field Values" field the key shown on the link page of the application for generating codes. If a camera was used, a link will be displayed in the "Field value" field - we do not need it, so just click the "Save" button in the upper right corner (we do the same when entering the key manually).

6. The newly created or edited entry will open in MultiPassword. A six-digit code will appear under the site address - you need to enter it on the 2FA protection settings page before the time has expired (and if it has expired, enter the one that will be generated again), and confirm the action.

This completes the binding of the protected account to the MultiPassword authenticator. Now, when authorizing on the site, you will additionally need to enter a 6-digit code that will be generated by the MultiPassword application (it can be found in the password storage entry that we just created/edited).