Two-factor authentication: security beyond passwords
Posted on May 12, 2023, by Sébastien
Two-factor authentication (2FA), also called multi-factor authentication (MFA) is an authentication method where access is granted after presenting 2 different pieces of information (or factors).
These factors can be:
- Something you know (typically, a password, passphrase, or PIN).
- Something you have (a smartphone, security key, or other physical device).
- Something you are (biometrics: fingerprint, face recognition, …).
The main factor used on most websites and online services is of course a password.
However, two-factor authentication is becoming more and more widely available over time.
The idea is that, in case an attacker manages to guess or steal a password, access to the account would be prevented by the second factor.
In general, the second factor is only required when connecting from a new device, and you won't be prompted for it every time you login (from a known device).
Here are a few common ways that can be used to implement a 2FA mechanism.
Email or SMS
Some services can send you a code (or sometimes a link) via email or SMS.
This is the least secure option.
Emails and SMS are not encrypted, and SMS can be intercepted.
It's better than nothing, but choose another method whenever possible.
Authenticator apps that can be installed on smartphones are a step up from email or SMS.
In most cases, the app generates a 6 digit code that changes every 30 seconds, based on a key imported when you initially set up two-factor authentication (typically via a QR code), and serves as proof that you still have the device where that key is stored.
Besides increased security, another advantage of these apps is that they can be used offline.
Tip: there are many alternatives to Google Authenticator
Even though websites sometimes refer to authenticator apps as "Google Authenticator" for simplicity, know that this method is automatically compatible with all apps that implement the TOTP standard.
This includes, in particular, FreeOTP, Authy, Microsoft Authenticator, Yubico Authenticator (more info in the next section), and many others.
In fact, I don't recommend Google Authenticator, considering it isn't Open Source any more (it used to be), and that its newly introduced "cloud backup" feature is poorly implemented, as of May 2023.
Indeed, the encryption keys are sent to Google servers without end-to-end encryption, effectively giving Google access to all of your 2FA codes…
My favorite is FreeOTP, which is Open Source.
If you really want cloud backups, you can use Authy, which is proprietary but properly encrypts your data before it leaves your device, using a password.
In this case, choose a strong password, and don't forget it.
Alternatively, some password managers such as Bitwarden, 1Password, or Dashlane have a TOTP feature.
While you'll still benefit from the "one-time" aspect of these codes, it cannot really be considered a second factor:
If someone ever breaks into your password manager, they'll have access to both your passwords and your TOTP codes.
Also, your password manager itself should be protected by 2FA, and you obviously cannot store that 2FA token inside your password manager – or you'll lock yourself out – which means you'll need a separate MFA method anyway.
Security keys represent a more advanced method for two-factor authentication.
They usually support the U2F and FIDO2 standards.
- Dedicated hardware device. No need to rely on a smartphone, which is more likely to get compromised.
- Authentication is performed via USB or NFC. No code is displayed, and there's nothing to type.
- Protection against phishing and man-in-the-middle attacks (built into the U2F and FIDO2 protocols).
The most famous example is assuredly the YubiKey.
Some YubiKey models can be used both over USB (for computers) and using NFC (for smartphones).
In addition to the U2F and FIDO2 protocols, some models also support the TOTP standard, which allows you to replace Google Authenticator (and other similar apps) with Yubico Authenticator.
The encryption keys used to generate the 6 digit TOTP codes are then stored inside the YubiKey, and cannot be extracted from it.
Important: backup codes
No matter what option you choose, you need to make sure you won't get locked out of your accounts if you ever lose your 2FA device.
Most websites will provide you with backup codes (or "recovery codes") when you setup multi-factor authentication.
You can either print them, or write them down on paper, and store them in a secure place (i.e. a safe), or, alternatively, store them in a separate password manager – NOT your main password manager, or you'll lock yourself out.
In case you ever come across a service that doesn't offer recovery codes, you should probably backup the key itself, when setting up TOTP authentication.
It's usually displayed next to the QR code.
Where to use it?
The most critical service that needs to be protected by two-factor authentication is undoubtedly your password manager.
Bank accounts also need to be secured by more than a password.
In fact, banks in the European Union are required to setup Strong Customer Authentication (SCA) by the PSD2 directive.
Unfortunately, some of them only provide SMS as a second factor.
Generally speaking, any account with special implications in terms of security or privacy should be protected by MFA.
You probably don't need to set it up for a random online discussion forum you use once a year, though 😆
While two-factor authentication is a useful tool to enhance the security of your online accounts, it doesn't exempt you from maintaining a good "password hygiene".