This is cross-posted from my blog.
2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) are ways of securing accounts above and beyond normal password protection. Typically, we think of 2FA as something you know (your password) and something you have (a device). The idea is that if you compromise one, you still can’t get access to the protected resource.
A room protected by a keypad and ID card reader is a great example of 2FA. You might be able to guess the code, but you’d also need a valid ID card to get access to the locked room.
What about biometrics? Good question. Technically, still something you know (the password) and something you have (a retina/fingerprint/etc…), but stored biometrics make me nervous. I steer clear.
(Some) 2FA Options:
At a high level, here's how each works:
TOTP works via app, on your phone, browser extension, or command line, and generates you with a time-limited code to provide when logging into an account.
U2F works by configuring a device (you may have heard of Yubikey), and supplying that device every time you log into an account.
SMS works by getting a text with a code that you enter every time you log into your account.
2FA isn’t all that complicated in practice. It’s an extra step, yes, but worth configuring to protect your account(s).
However, not all 2FA is created equal. I have had to help more than one person recover accounts protected by SMS-based 2FA. SIM hijacking is when someone takes over your phone number and can therefore intercept your calls and texts. Some sites / apps who use SMS-based 2FA will allow password-resetting via SMS or voice alone. If someone hijacks your SIM, they can get access to those accounts without needing to know (or guess!) your password.
That’s why I recommend not using SMS-based 2FA. If you’re against carrying around an additional device, set up a TOTP app (like Google Authenticator) on your phone. Let’s face it, you probably carry it around anyway. U2F is my preference, but that can be a bigger hurdle if you’re just starting with 2FA.
Other best practices:
- Recovery codes -- download them, store them.
- Keep your passwords strong -- 2FA isn’t a replacement for a good password.
- Use a password manager -- a trusted password manager can store the TOTP seeds, if you need to use more than one device.
- Back up off-site -- for the truly paranoid, store backup codes, devices in an off-site, offline location like a safety deposit box.
Question: What if a provider only allows SMS-based 2FA?
Great question, but one there’s not an easy answer to. It depends on a lot of stuff. First, evaluate whether you really need that account. If not, then there’s no issue. If you do need that account…
Evaluate your risk profile. If this account is compromised, how much damage is it going to do? If it’s not going to do any, I might not recommend securing it with SMS in the first place. If it has the chance to do damage, then I’d investigate the policies of how the provider allows account recovery and make a call based on that. Definitely still use a unique password, and definitely make the request for other 2FA options!
Need provider-specific advice for securing your accounts? twofactorauth.org is a great way to figure out what they support and how to go about enabling it.
Have other questions? Let me know and I'll try to answer them.