Amazon just launched this week support for two-step verification for logging in to your Amazon account, using so-called “Google Authenticator” style two-step verification as an option (technically referred to as “TOTP” or “time-based one time password,” authentication, along with the alternative option of SMS verification. Amazon has been using the same mechanism for securing their cloud compute platform, Amazon Web Services, for some time now.
Our amazon accounts are of course ones that have a non-trivial transaction risk, since Amazon stores our credit card data and once you have account access, you can ship anything anywhere. And as a frequently-used site, it is an account which it is tempting to have an “easily remembered” (translation: insecure) password for.
By enabling two-step verification on your Amazon account, you make it impossible for someone to guess or steal your password, as accounts with this advanced security feature require two steps to login: first, the username and password need to be entered, and secondly, a one-time password must be entered. The one-time password is a number that changes every 30 seconds, and can only be correctly generated by a device running a special application to generate the one-time password. When you configure the option, you scan a QR code to read a secret value which is used by both your app and the site to generate the one-time password, which is based on a mathematical transformation of the secret and the current time.
That’s the good news. The less good news is, TOTP typically requires that you store your TOTP secret in a special purpose app (like Google Authenticator). Which means that, whenever you want to get the number to log in, you need to launch the app and type the TOTP token value – this in addition to remembering/typing the password.
passQi+ changes all that – by not only automating username / password login, but also automating TOTP login. Like a typical TOTP app, you scan the site-generated QR code, but your do this from within the account details page for your Amazon account in the passQi vault, where your username and password are already stored. passQi+ then securely stores the secret, and whenever you need to login to your Amazon account, you simply tap the passQi bookmark twice – first on the password login page, and then on the two-step token page that will come up next. Each time you click the bookmark in your laptop or desktop browser, passQi+ will decrypt the password from the passQi vault on your phone, and generate the current TOTP code for the present instant, and securely relay them to your browser, where they will be decrypted and automatically injected into the login page.
This makes it possible to achieve maximum security for your Amazon account, with minimal hassle!
Having used TOTP on their AWS platform, it’s not surprising that they did a great job with their implementation – straightforward and easy to configure, plus, they thoughtfully DO NOT automatically set a cookie to bypass two-step verification on so-called “known devices.” While it is certainly true that a login on device that your have previously logged in on is less likely to used for an unauthorized login, the key word there is “less”. Recognizing that as currently offered, TOTP is still kind of a pain to use, sites like Google and Facebook default to quickly promoting a previously-used browser to “TOTP not required” status. But with TOTP so easy with passQi+, shouldn’t you use it all the time?
… passQi+ users should leave this unchecked!
Although it doesn’t depict the Amazon consumer configuration and login experience, on our support videos page, there is a quick walkthrough of configuring passQi+ TOTP for AWS service login – the process is more or less the same on the consumer side.