If you haven’t read I Have a Password System, and don’t feel confident with how you manage your passwords, it’s recommended that you read that before you come back to read the rest of this. Two Factor Authentication (2FA) is when access to something is protected by more than just one factor of authentication, for example just a password. When a username and password is used, as well as an additional factor of authentication, such as a code received via email or SMS, you’ve got yourself Two Factor Authentication (2FA). This type of authentication is sometimes also refered to as Multi Factor Authentication (MFA), but the two terms are usually used interchangeably. I’ll refer to it as 2FA going forward.

Why 2FA?

2FA is one of the most important aspects of staying secure online, alongside strong passwords. One could argue that using 2FA is more important than having strong passwords, but it’s recommended to get both of these areas figured out and locked down in order to improve online security. There is a movement towards “passwordless” authentication which will drastically improve the average internet user’s security online - but we’ll cover that another time.

2FA makes it much harder for attackers to break into an account because in addition to obtaining a username and password, the attacker also has to gain access to an additional piece of information to break into your account. While it’s true that using 2FA makes things a bit inconvenient for the user, it makes the attacker’s endeavors to compromise your accounts disproportionately harder.

Types of 2FA

2FA adds a layer of protection beyond having a strong password, but not all forms of 2FA are created equal. What follows is a comparison of some of the most common forms of 2FA available at the time of writing of this article.

SMS

One frequent type of 2FA is a code that is sent to the user via a phone number. This is one of the weakest forms of 2FA as it is susceptible to an attack known as “SIM Swapping”, in which malicious actors gain control of the victim’s phone number in order to get access to 2FA codes. It may seem like a difficult thing to pull off, but SIM Swapping is extremely common. It is a huge problem because telecom companies are susceptible to social engineering. There can also be insiders within large telecom companies that get paid by malicious actors to port numbers. In fact, there is a whole dark market economy based around SIM Swapping numbers. You can learn more about this in the Darknet Diaries Episode 112, which I highly recommend listening to (you can skip to around 45 minutes in if you don’t have time to listen to the entire episode).

Additionally, some services allow recovery to be performed over a phone call, at which point those recovery mechanisms become susceptible to phone number spoofing attacks.

It is also the case that SMS is not encrypted, so any data, such as MFA codes, can easily be sniffed by malicious actors. As such SMS should only be used when there are no other options, and in some cases, when there are no other MFA options, it may be more secure to use only a long and random password, for example in cases where the SMS number can be used to recover the account. For high risk accounts it is recommended that SMS not be set on the account.

Email

Many sites offer email based 2FA, where a code or magic link is sent to your email as a second factor of authentication. This type of 2FA is reasonably secure, as long as the email itself is adequately protected. While this isn’t the strongest form of 2FA, it is arguably better than SMS, as long as the email itself is protected by something stronger like TOTP or FIDO. It is essential that your email is protected with the strongest type of 2FA available, as emails usually contain sensitive information, and are used to recover access to accounts. If an attacker gains control of someone’s email, they’re in trouble.

That being said, using email inherently assumes that you trust that the email provider won’t do anything malicious. If the email provider is compromised or coerced, or subpoenaed, they may give persons other than yourself the ability to access your email. This is a significant risk, as this would allow performing recovery of most types of accounts, granting the person who has access to your email access to almost any service registered to that email. There are some additional protection mechanisms for recovery that can be in place, but on average emails are a huge single point of failure.

Push Notification

This type of 2FA relies on applications which receive Push Notifications, allowing the user to approve authentication requests. This form of 2FA is quite strong, but still susceptible to an attack called “MFA Bombing” in which the attacker simply keeps sending requests to a user’s device until one of them is approved, often by accident.

Additionally, the implementation of this sort of 2FA relies on a third-party provider, which means that the server which is used for authentication is not controlled by either you or the service you are authenticating against, and as such creates additional surface area for attacks.

Push Notifications are considered to be relatively weak form of 2FA but can be useful in some contexts, and are more secure than SMS and Email in most scenarios.

Time-based One-Time Password (TOTP)

This is one of the better types of 2FA available and is quite common. TOTP is based on symmetric cryptography, where a shared secret is used to authenticate users. The codes are generated every 30 seconds, by both the user and the service one is authenticating against, and then compared. If they match, the TOTP check is successful.

Most applications used for TOTP such as Google Authenticator, Authy, Microsoft Authenticator and others store the TOTP secrets locally, but Yubico Authenticator offers the user the ability to store their secrets on a YubiKey which adds an additional layer of security. Note that different types of YubiKeys have different storage capacity, so you may need multiple YubiKeys if you choose to use this approach and have many accounts to secure with TOTP.

While TOTP is susceptible to phishing and replay attacks, it is superior to SMS, Email and Push Notification based 2FA. The replay attacks are the result of incorrect implementation, as the TOTP spec prescribes that the code should only be valid for one use - but most implementations overlook this detail.

Yubico OTP

While this protocol may seem like a good option on the surface it has a dramatic flaw in its design. The Yubico OTP is emitted from a YubiKey when it’s tapped. Accidental tapping emits a code which is valid until that code is used against all the services that key is registered on. This means that if you leak a OTP, you need to log into all services which had Yubico OTP set up with that YubiKey in order to invalidate the leaked OTP.

Additionally there is an inherent level of trust in Yubico as the Yubico OTP protocol relies on a server hosted by Yubico. This introduces a number of MiTM concerns.

This method should be avoided if FIDO2 or TOTP are available, but in the case where it’s the only option, or Email, SMS or Push Notifications are the alternative, this may be a better option.

FIDO2 (Fast IDentity Online)

FIDO2 is one of the strongest and most private forms of 2FA available, and also a technology that is aiming to replace passwords. FIDO is superior to all types of authentication currently available. The reason it is so powerful is because it is resistant to phishing, which is not the case for most other types of 2FA.

To leverage it, one can purchase a Smart Card such as Nitro Key, or YubiKey and an increasing number of devices uses their built in TPMs to support FIDO2. The big tech companies are integrating PassKey, which is an extension of FIDO2 focusing on compatibility and integrations. Passkey gives the ability to authentiate using FIDO2 protocol via browsers, password managers and more. While this is convenient it is not recommended as it creates SPOFs and relying on a third party for access. smart cards are considered to be more secure and private.

Some cryptocurrency hardware wallets like Ledger and Trezor support FIDO2 as well and have the added benefit of being able to back up FIDO2, which smart cards don’t offer.

Summary

To put it all together, the most important thing to understand is that 2FA should be used wherever available. When multiple options are available, refer to this approximate summary of the order of strength of 2FA types starting with the most powerful on the left, and decreasing in strength as we move to the right:

FIDO > TOTP > Yubico OTP > Push Notification > Email > SMS

It is recommended that you purchase two smart cards because FIDO can’t be backed up. By registering two smart cards to services on initial setup, one smart card can be stored safely as a replacement in case the day to day smart card stops working or is lost. An alternative is to use a hardware wallet, as the seed phrase is used to derive the FIDO2 secret.

It is also recommended that recovery codes for different services be stored and backed up securely in the case of failure of smart cards. Secure backups can be achieved in several ways, for example by using an password protected drive, or PGP.

Lastly, if strong forms of MFA are available, only use those, and do not set up the weaker forms, as they can be used to bypass the stronger ones. For example if FIDO2 is available, avoid setting SMS, push notifications or other 2FA methods unless the system enforces requiring all, not just one of them.

Stay safe out there!