This is cross-posted from my blog.
2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) are ways of securing accounts above and beyond normal password protection. Typically, we think of 2FA as something you know (your password) and something you have (a device). The idea is that if you compromise one, you still can’t get access to the protected resource.
A room protected by a keypad and ID card reader is a great example of 2FA. You might be able to guess the code, but you’d also need a valid ID card to get access to the locked room.
What about biometrics? Good question. Technically, still something you know (the password) and something you have (a retina/fingerprint/etc…), but stored biometrics make me nervous. I steer clear.
(Some) 2FA Options:
- Time-based One-Time Password (TOTP)
- Universal Second Factor (U2F)
- SMS
At a high level, here's how each works:
TOTP works via app, on your phone, browser extension, or command line, and generates you with a time-limited code to provide when logging into an account.
U2F works by configuring a device (you may have heard of Yubikey), and supplying that device every time you log into an account.
SMS works by getting a text with a code that you enter every time you log into your account.
2FA isn’t all that complicated in practice. It’s an extra step, yes, but worth configuring to protect your account(s).
However, not all 2FA is created equal. I have had to help more than one person recover accounts protected by SMS-based 2FA. SIM hijacking is when someone takes over your phone number and can therefore intercept your calls and texts. Some sites / apps who use SMS-based 2FA will allow password-resetting via SMS or voice alone. If someone hijacks your SIM, they can get access to those accounts without needing to know (or guess!) your password.
That’s why I recommend not using SMS-based 2FA. If you’re against carrying around an additional device, set up a TOTP app (like Google Authenticator) on your phone. Let’s face it, you probably carry it around anyway. U2F is my preference, but that can be a bigger hurdle if you’re just starting with 2FA.
Here’s a good general guide on how to set up 2FA. If you want to go the U2F route, you'll probably want to get a YubiKey.
Other best practices:
- Recovery codes -- download them, store them.
- Keep your passwords strong -- 2FA isn’t a replacement for a good password.
- Use a password manager -- a trusted password manager can store the TOTP seeds, if you need to use more than one device.
- Back up off-site -- for the truly paranoid, store backup codes, devices in an off-site, offline location like a safety deposit box.
Question: What if a provider only allows SMS-based 2FA?
Great question, but one there’s not an easy answer to. It depends on a lot of stuff. First, evaluate whether you really need that account. If not, then there’s no issue. If you do need that account…
Evaluate your risk profile. If this account is compromised, how much damage is it going to do? If it’s not going to do any, I might not recommend securing it with SMS in the first place. If it has the chance to do damage, then I’d investigate the policies of how the provider allows account recovery and make a call based on that. Definitely still use a unique password, and definitely make the request for other 2FA options!
Need provider-specific advice for securing your accounts? twofactorauth.org is a great way to figure out what they support and how to go about enabling it.
Have other questions? Let me know and I'll try to answer them.
Top comments (4)
OK, mostly I agree with this, but - and a big but - SMS-based 2FA is astoundingly better than no 2FA. I mean bucketloads better than no 2FA. Yes, TOTP is better still, and anything hardware is pretty damn awesome. I'm old-school, so I'm using PKCS#11 smartcards, but if U2F is what you prefer that's fine too.
But let's look in detail:
If there's no 2FA at all, an attacker just has to guess your password (or obtain it via a wide-trawl phishing attack, or ... or ...). Your best option here is to ensure you have a strong, unique password - and protect its use by ensuring it's only entered into the actual site. Good password managers will handle all this for you.
Everything else beyond this is an addition (until we get to PKCS#11, anyway).
Now, an attacker has to target you specifically, and obtain access to your mobile phone number, or your handset in some way. Either is a magnitude more effort than just getting your password, and moreover, it becomes a targetted attack instead of a more general trawl. By using SMS 2FA, you're forcing an attacker into completely changing their game.
Yes, of course you might be the target. Yes, it's weak. But it's forcing a huge amount of additional workload on an attacker, so if this is your only option, you should absolutely use it.
But, you know, if it's your bank account, I'd be looking to change bank.
Now, in a partial breach case, TOTP isn't actually much better than a password. Lots of sites store the TOTP secret in the clear, and it's pretty weak, cryptographically - the specification allows for making it much stronger, but unfortunately the predominant client app - Google Authenticator - doesn't seem to support the higher settings, so we're stuck with the entry-grade.
Still, an attacker has to get at that shared secret, whether that's from your mobile phone - in which case, folks, it's not much harder than SMS - or else from the server. Cryptographically breaking TOTP is still too difficult, though it's rapidly approaching feasibility, and you'll want to keep an eye on that one.
Still, better than SMS, for sure - but while it's certainly significantly better, it's not the game-changing gap that's between no 2FA and SMS.
Universal Second Factor is essentially a cheap hardware cryptographic device - it's doing cryptographic magic™ on a chunk of silicon that means an attacker can't duplicate it - you can't pull the private key out of the device. They can, of course, steal it, which is - in technical terms - "Bad".
The good news, though, is that you'll know if this happens, generally - and knowing about a potential breach is half the battle.
So clearly, if you can use U2F, go for it.
The "old-school" is to use a PKCS#11 device, usually a smartcard. Your bank card might even be one, if you live in Europe particularly. (If you live in the States, you might get one in a decade...)
PKCS#11 devices are pretty similar to U2F devices - indeed, U2F is essentially a modern, consumer-grade, PKCS#11. The main difference is that smartcards generally require a PIN. On a really shiny system, the card reader itself has the PIN entry pad, so it cannot be obtained by a keyboard sniffer.
All this is because they're used as the sole means of authentication in many cases - including the US military "Common Access Card".
In fact, some U2F devices can be used as PKCS#11 devices - some of the Yubikey range for example. While these don't use a PIN, they can do the other magic - a PKCS#11 device will provide authentication at the TLS level, it can literally "be" your SSH key, your PGP key, or your S/MIME key.
That's a great write-up, thanks!
There's a phrase I really like, which is "usable security". That is, how do we secure things in a way that both actually secures things, but isn't so onerous that it makes it impossible for people to use. U2F is getting there, but a lot of folks -- especially folks who are new to good security hygiene -- are having a hard time with adoption.
I don't disagree with most of what you've said, but my view is a bit different. The place I have seen people get into is when account recovery happens by way of authenticating with SMS, or no account recovery is possible at all once the 2nd factor is compromised. In both cases, the user is totally hosed.
And, yeah, totally agree about the bank note!
Anyway, that's my justification for not a flat out recommendation for using 2FA via SMS if no other option is available. Depending on the type of account, having it compromised for a limited amount of time (via the password being compromised and then recovered) may actually be preferable to losing access permanently. Social engineering is really not difficult to do, especially if the account holder personally is a target.
Thanks again for weighing in! There are a lot of factors (ha) to consider. I try to get everyone to use U2F, but am not always successful :-)
U2F is great because it's a relatively cheap hardware dongle. I'd like people to be using the U2F devices that are also PKCS#11 devices, but the ones that also handle NFC for mobile use tend to get prohibitively expensive.
What I'd love to see is banks and similar hand these out to customers uninhibited, so that their customers get better security everywhere - but most importantly at their bank.
That would be amazing. After all, it's in their best interests not to have accounts compromised, as well.