Two-factor authentication makes it impossible for hackers to break into your accounts by brute-force and even protects you if the hackers get your password. It can even help lock down your account if your credentials have been phished in the past.
In short, two-factor authentication (2FA) is important.
But which two-factor authentication model should you choose? Almost all services offer one-time-passwords via text message delivered to your phone. Many also provide one-time passwords generated on your mobile device (by using Google Authenticator, Authy, or even Facebook).
A few services will give you the option to connect a hardware device, and there are trade-offs between the options. This blog explains what these choices are, what you have to be careful about, and what’s best for you.
Why is two-factor authentication superior?
It’s hard, if not impossible to notice a cracked or stolen password. A stolen or cracked password allows an attacker to access your account for any amount of time, unnoticed, or lock you out completely.
Similarly, relying solely on a device to log in can make you vulnerable to hacking, if it was stolen. Although you would more quickly realize you have been compromised.
Combining something you know and something you have together, however, makes it far less harmful if your password is cracked or your device is stolen. If you lose your device, the thief or finder is unable to get access to your accounts without a password. And if your password is cracked, no one can access your account without the device.
Factors to consider when choosing two-factor authentication
The theory of authentication of identity usually defines three factors:
- Something you know
- Something you have
- Something you are
Most commonly, users on the internet are identified through something they know. This is usually a password, but could also be a security question.
The risks with “something you know” are that you could forget, or are not the only one who knows, e.g. because you voluntarily or involuntarily shared the knowledge. It might also be possible for a third-party to gain this knowledge through other means, perhaps by looking at social media to get the answer to common security questions “What’s your favorite pet?” or “What street did you grow up in?”
A second factor is “something you have,” which could be a security key or sim card. Often this second factor is applied as a backup reset in case you forget your password.
The third factor is “something you are.” This might be your fingerprint or facial and voice recognition and is seldom used outside of military facilities.
Only when two of these factors, or multiple factors, are required at the same time for authentication do we speak of two-factor or multi-factor authentication.
Common methods of two-factor authentication
1. Text message
What you have: A SIM card
The most common form of two-factor authentication is the mobile phone. Almost everyone has a mobile phone and keeps it with them at all times, making this a popular and convenient choice for providers and users.
What happens when you lose it: If you are on a monthly plan you can lock your old SIM and obtain a new one from your provider. There’s a risk of losing access to your account when traveling if text messages can’t get through.
Security risks: Some providers make it terribly trivial for someone else to obtain a new SIM card on your behalf, or worse, clone your SIM card. Many providers also make it possible for an attacker to divert text messages to another number, essentially bypassing your protection.
Nation states can read or divert text messages sent to you, making it possible for them to bypass your security. Additionally, there is the risk of man-in-the-middle attacks, if you enter the text message into the wrong service.
Privacy risks: Contracts necessarily link your name to every service for which you’ve used your phone to sign up. However, prepaid phone contracts will not replace a lost SIM card. Either way, your mobile phone company might track where you are and who you receive codes from.
2. Authenticator apps
What you have: Your phone with an app installed.
When you use an authenticator app (e.g. Google Authenticator or Authy) the service you set up 2FA with will communicate a secret code with you, usually in the form of a QR code. Scan this code with the authenticator app and from then on your app will generate random codes that change every few seconds. You’ll need this code every time you log into a service.
What happens when you lose it: Some services make it convenient for you to backup this code, so in the event you accidentally delete the authenticator app, lose or break your phone, you can just set it up again. Other services encourage you to save unique backup codes that you can use in the event you lose access to your authenticator app.
Of course, this raises the question of where to save the backup codes. Often a piece of paper is the best option, but where is a safe place to store it?
Note: As long as your phone has power, the app will generate codes for you. Your phone does not need to have internet while it is generating the codes.
Security risks: If somebody is able to screengrab the QR code, or through another means to intercept the secret key, they could generate the same codes in their authenticator app. Like text messages, there is the risk of man-in-the-middle attacks if you enter your passcode into the wrong website.
Privacy risks: If your authenticator app requires you to sign up with your email address, this can help an attacker link accounts together. In general, an authenticator app has few privacy risks.
3. Hardware keys
What you have: A hardware key compatible with the FIDO U2F standard.
This key, which often looks like a small USB stick, contains a small chip that securely stores a private key.
Once you plug in and register the device with a service, the public key will sign messages in a way that the service is able to verify them. Unlike text messages or authenticator apps, there is no risk of man-in-the-middle attacks because the physical hardware key is required to authenticate the service.
Unlike text messages or authenticator apps, hardware keys are not free. But as the dominant FIDO U2F standard is an open standard, there is plenty of competition among various producers. Products can range between US$5 and US$120 with a bundled hardware Bitcoin wallet.
What happens when you lose it: If you can afford it, a second hardware key is a good idea. Otherwise, similar to authenticator apps, you can download backup codes that will allow you access back into your account.
Security risks: The hardware keys excel at security so much that if properly implemented can completely eliminate phishing attacks. For now, most services that offer hardware key registration also require an authenticator app or phone number on file. It’s these weak links that will likely also become your security threats.
Privacy risks: Purchase the device with cash or Bitcoin for certainly. In general, a hardware key no privacy risk as it will create a new key pair for every account.
Hardware keys are best for 2FA, but not everyone will accept them
Hardware keys win from a security perspective, they are private and unaffected by a dying or out of range phone. However, only a few services (Google, Dropbox, Facebook, Github and a few others) support the standard so far.
Unless you trust your phone provider (and few providers are trustworthy), an authenticator app is the best option.