Skip to main content

The definitive ranking of two-factor authentication methods

Two-factor authentication is a great way to secure all of your online accounts but not all methods are equal.

You should be using two-factor authentication on every account that gives you the option. There is no better way to keep your account secure and no matter who you are you should want all of your accounts to be as secure as possible. It also doesn't matter which phone you use — 2FA works with a cheap Android phone, the best Android phone, or an iPhone. You've heard all of this before.

All two-factor methods are not created equal though. Like every other user-facing security measure you have to trade some convenience for protection and the most secure methods of 2FA are also the least convenient. Conversely, the most convenient methods are also the least secure.

We're going to take a look at the different ways you can use two-factor authentication and discuss the pros and cons of each.

Avoid at all costs, though it's still better than nothing

4. SMS-based two-factor authentication

Getting a text message with a two-factor code is the most popular way to secure an online account. Unfortunately, it's also the worst way.

SMS-based 2FA is easy and convenient. It's also not very secure.

You give your phone number when you sign up for an account or if you go back and enable 2FA at a later time, and after the number is verified it's used to send you a code anytime you need to authenticate that you are really you. It's super easy and super convenient which means plenty of people use it and plenty of companies offer it as the only means to secure an account.

Ease of use and convenience are great things, but nothing else about SMS is good. SMS was never designed to be a secure means of communication and since it's an industry standard, even an app like Signal that does offer encrypted and secure messaging still sends SMS messages as plain text. Nathan Collier, a senior malware intelligence analyst at Malwarebytes, describes SMS like this:

SMS text messages, which are sent and stored on servers in plain text, can be intercepted during transit. Moreover, it's possible for SMS messages to be sent to the wrong number. And when messages reach the correct number, there is no notification from the recipient as to whether the message was read or even received.

A bigger problem is that carriers can (and have been) tricked into authorizing a new SIM card using the phone number of someone else. If someone really wanted to get access to your bank account or order a bunch of stuff from Amazon using your credit card, all they need to do is convince someone at your carrier that they're you, you lost your phone, and you need your number moved to a new SIM card that they happen to be holding.

All of this goes for email-based authentication, too. Email is really the only way any account recovery process can work, and plenty of places like your bank will want to send you a code via email to log in from a new device. It's just not very secure and everyone in the industry knows it. Maybe fixing how email is used as a backbone for this sort of thing is what comes next.

You should just probably use this

3. Authenticator apps

Authentication apps like Google Authenticator or Authy offer a big improvement over SMS-based 2FA. They work using what's called Time-Based One Time Passwords (TOTP) that an application on your phone can generate using a complex algorithm without any sort of network connection. A website or service uses the same algorithm to make sure the code is correct.

Authenticator apps are better than SMS for 2FA, but they are not foolproof.

Since they work offline TOTP style 2FA isn't subject to the same problems that using SMS is, but it's not without its own set of flaws. Security researchers have shown that it is possible to intercept and manipulate the data you're sending when you enter the TOTP on a website, but it's not easy.

The real problem comes from phishing. It's possible to build a phishing website that looks and acts just like the real thing and even passes along the credentials you supply, like your password and the TOTP generated by an authenticator app so you can log in to the real service. It also logs itself in at the same time and can act as if it were you without the service you're using knowing the difference. After all, the right credentials were supplied.

Another disadvantage is that it might not be easy to get the codes you need if you lose your phone. Some authenticator apps like Authy work across devices and use a central password to set things up so you can be back up and running in no time and most companies will provide a set of backup codes you can keep for times when everything goes south. Since that data is also being sent across the internet it weakens the effectiveness of using TOTP but offers greater convenience to users.

Safe and convenient, but not common

2. Push-based 2FA

Some services, most notably Apple and Google, can send a prompt to your phone during a login attempt. This prompt tells you that someone is trying to log into your account, can also give an approximate location, and asks you to approve or deny the request. If it's you, you tap a button and it just works.

A notification for 2FA is super easy and super convenient. Don't lose your phone though.

Push-based 2FA improves on SMS 2FA and TOTP authentication in a couple of ways. It's even more convenient because it all works through a standard notification on your phone — all you need to do is read and tap. It's also much more resistant to phishing and so far has shown itself to be very "hack" resistant. Never say never, though.

Push-based 2FA also magnifies some of SMS and TOTP's disadvantages: you have to be online through an actual data connection (voice and text cell plans won't work) and you have to be holding the right device to get the message. It's also not very standardized so you can expect to use a login prompt on your Google Pixel to authenticate your other accounts.

Outside of these two very real drawbacks, push-based 2FA has been shown to be secure and convenient. It's also going to factor into Google's future plans to enforce 2FA for your Google account going forward.

The winner! But also annoying!

1. Hardware-based 2FA

Using a separate piece of hardware like an authenticator device or a U2F security key is the best way to secure any online account. It's also the least convenient and the least popular.

You set it up using the hardware and whenever you want to login from a new device or after an amount of time that's set by an account administrator you need to produce the same device to get back in. It works by the device sending a signed challenge code back to the server that is specific to the site, your account, and the device itself. So far U2F has been phish-proof and hack-proof. Again, never say never.

Using a U2F key is the least convenient but most secure way to do two-factor authentication. It's probably not for you because it's a PITA.

You can usually set up more than one device on the same account so you won't lose access if you lose your security key, but it still means that you need to have that key with you every time you want to log in to a website or service. I use a U2F key to secure my Google accounts, and every 12 hours I need to provide the key to get back into my Google Enterprise account for work. That means I have a key in my desk drawer, a key on my keychain, and a key in an envelope that a friend keeps for me in case of an emergency.

Usually, you can also set up a backup method of 2FA if you're using a key, and Google forces you to do so. This is great for convenience but it also compromises the security of your account because the less secure methods are still viable ways for you — or anyone else — to get back in.

Another drawback to using a hardware token like a security key is cost. Using SMS, or an authenticator app or push-based 2FA is free. To use a security key you'll need to purchase one and they can range from $20 to $100 each. Because you really should have at least one backup key if you're going this route this can add up. Finally, using a security key with your phone can be clunky. You'll find keys that work via USB, NFC, and even Bluetooth but no method is 100% reliable 100% of the time when using a key with a phone.

Which is best?

All of them and none of them.

Any type of 2FA on an account is better than none at all, and even SMS-based 2FA means you're more protected than you would be if you just relied on a password. If you have the patience, a program like Google's Advanced Protection Program can make your online life very secure and almost worry-free. But you need to weigh the convenience against the security.

Personally, I wish SMS-based 2FA would just go away because even I can hack it. That means you can, too, if you're willing to do a little bit of reading and some copy-pasting. Worse, it means that anyone can hack it and there are people out there that will take the time and energy to try it on any unsuspecting victim they can find.

In the end, you need to realize that you are a target for online hackers even though you're not a politician or a movie star. This means you really do need to take the extra step or two to protect your online accounts and hopefully knowing a little more about how the different methods of two-factor authentication work can help you make the right decision.

Source: androidcentral

Popular posts from this blog

How to watch season 18 of Grey’s Anatomy online from anywhere

After last season was cut short, Grey's Anatomy is returning to ABC with brand new episodes and we have all the details on how you can watch the longest running medical drama yet on TV or online. Just as ABC did with season 17 last year, the season 18 premiere of the show will actually be a two-hour crossover event with Grey's Anatomy spin-off series Station 19. While Grey's Anatomy tells the story of Meredith Grey, played by Ellen Pompeo, and the other doctors, nurses and residents at Grey Sloan Memorial Hospital, Station 19 follows a group of firefighters from the Seattle Fire Department. Based on the trailer for the two show's latest crossover event, after a Station 19 fire truck is hijacked, a patient needs to be brought on foot to Grey Sloan Memorial Hospital for treatment. Last season of Grey's Anatomy saw Dr. Meredith Gray infected Covid-19 and while in a coma, many characters from past seasons of the show returned to visit her on a beach. Although Mere

PS5 restocks: Here are the latest PS5 stock updates & how to find one

PS5 stock is selling out fast, so be sure to have your credit card ready. Looking to buy a PS5 ? Well, so are millions of other people, and the stock levels we've seen so far are tight, even nearly a year after its launch. Every time a retailer puts stock up for sale, it sells out super quickly. The longest we've seen them stay in stock is maybe 15 to 20 minutes (usually just a few minutes, though), and that's at random times, so finding one for yourself can be a truly difficult task. Sony warned that it will be hard to find stock throughout the year and well into 2022, but retailers are promising more are coming, and Sony has secured additional semiconductor chips to make them. In our PS5 review, we called it a technical marvel with a groundbreaking controller. After spending a few months with it now, it's nearly impossible to go back to the PS4. Everything about the PS5 is better , from the games to the DualSense haptic feedback . You'll definitely want to

How to watch the London Marathon: Live stream online

While it may have once again been postponed from its usual April slot, the delayed 2021 edition of the London Marathon should have a more familiar feel to proceedings this year - read on to find out how to watch this iconic race online, no matter where in the world you are. This year's event welcomes back ametuar and fun runners after last year's race was limited to elite runners, while a limited number of spectators are set to be in attendance along the 26.2-mile route through the UK capital. 2020 winner Shura Kitata returns to defend his title despite a hamstring injury against a field that boasts seven sub-2:04 marathon runners including fellow Ethiopian stars Birhanu Legese and Mosinet Geremew. Kenyan superstar and Olympic silver medalist Brigid Kosge will also be hitting London's streets once more as she looks to replicate her incredible victory in the women's race last year against a strong field of runners that also includes Ethiopia's Roza Dereje, and

Google Pixel 6 price just leaked — and it's lower than we expected

The standard Pixel 6 may only be slightly more expensive than the Pixel 5. What you need to know A new leak suggests the standard Pixel 6 will start at €649 in Europe. The Pixel 6 Pro could be priced at €899 in the old continent. It also claims that the Pixel 6 series will be announced on October 19. Last week, Brandon Lee from This is Tech Today gave us our first real-world look at Google's upcoming Pixel 6 Pro. Lee has now revealed a few more details about the upcoming Pixel 6 series phones in a new YouTube video. According to Brandon Lee's sources, the Google Pixel 6 is going to retail for €649 in Europe, while the bigger Pixel 6 Pro will be priced at €899. While it looks like the Pixel 6 Pro will be nearly as expensive as the best Android phones from Samsung, the standard Pixel 6 may only be €20 more expensive than last year's Pixel 5 . The Pixel 6's black colorway will apparently be called "carbon," while the green option could be marke