Note: This blog post has been migrated from an older blog
For example, if I want to log into my GitHub account which uses two-factor authentication, I need to provide both a password and a six-digit code to access my GitHub account. Using two-factor authentications makes it a bit harder for hackers to gain access to your account even if they were able to get your password since the second factor is needed to verify the login request. Now we know what two-factor authentication is and how it helps, let’s explore the options.
Option 1: One Time Passwords via SMS
The most common is getting a one time password (OPT) sent via SMS whenever a login is requested. The good thing about this option is that the password is unique each time it’s generated, meaning that once it’s used, it becomes invalid. While the OPT via SMS option is simple to get going and it’s better than not having TFA, it has many downsides. A practical downside is that you won’t be able to get the OPT when there’s no phone reception (like when you’re traveling) and you have to give away your phone number which could bring about spam. Also, it’s possible for your phone number to get “stolen” through social engineering, such as an attacker tricking the cell provider into terminating your SIM and giving it to the hacker. This happened to some prominent YouTubers last year such as h3h3, LinusTechTips and boogie2988 last year where poodlecorp was able to access their channels and deface them, with help from “Forgot Password” and overwhelmed customer support.
Option 2: Time-based One Time Password (TOTP)
Given the limitations of OTP via SMS, a step up would be to use a Time-based One Time Password or TOTP. TOTP combines time and a secret key to form a temporary code needed to access an account. TOTP codes are typically managed in an authenticator application, such as Authy or Google Authenticator. Since they work off of time rather than an SMS, they’re much more convenient. Also, authenticator applications are much harder to spoof. There aren’t perfect, however. Given how TOTP is time-based and time doesn’t always line up perfectly, TOTP codes usually last longer than their supposed expiry date to ensure things work. Also, if the secret key used to form the code was to get leaked, the TOTP code can be calculated.
Option 3: Login Verification
Another TFA option is login verification where a notification is sent to your device asking you to verify a login request. It uses public key cryptography which sets things up such that only you will be able to authorize login request to which only they can validate. Public key cryptography is a bit complex, but login verification is the simplest option out there. With login verification, All you need to do is click a notification and you’re done! The main issue is the device which gets the notification needs internet access, and if the private key is stolen, you’re screwed.
Option 4: Security Tokens
The most secure of the TFA options are security tokens such a YubiKeys and smart cards. Security tokens are considered true two-factor authentication (better yet two separate values) since they work completely independent of the server. I haven’t had much experience with security tokens but from what I’ve read their purpose-built to authenticate accounts. The codes (or “codes”) generated by these tokens can be in a random loop, cued on demand or not even require your input whatsoever. Since their purpose-built, they’re very solid options. The issue with security tokens is that they can be lost and stolen, you might need a lot of keys for your different accounts, the private key can be extracted from the device (with lots of effort) and they tend to be more expensive than using a phone you already have.
What Option Should You Choose?
The TFA option you choose comes down to a number of factors such as whether the service supports two-factor authentication (let alone two-factor authentication), how much the account means to you, what you can afford, and what you’re willing to tolerate for the sake of security.
I’ll use myself as an example. For me, given how careless I am, security tokens aren’t an option. Since I’m glued my phone and I travel quite a bit, I prefer to use the TOTP option via Authy since it doesn’t need internet. If the option is available, I tend to activate the login verification feature because it’s just a matter of clicking yes or no. If the above options aren’t supported, I just use the SMS based TFA since it’s better than nothing.
If you want to see if your online accounts support two-factor authentication, head of to twofactorauth.org, home to the Two Factor Auth List. There, you can look up a service and see which TFA options they support, potential issues, and if the service doesn’t support TFA, it lets you send a message to the service’s Twitter or Facebook asking them to add the option.
Like password managers, two-factor authentication should be another thing to keep in your security. TFA usually makes breaching into an account a whole lot harder, there are some drawbacks such as getting the secret keys used for verification stolen as well as the fact that given how none of these options are perfect, they sometimes supply you with backup codes, which are much easier to steal. Oh, and the rubber hose is still a thing.
There you have it! A guide to two-factor authentication! Check out the Two Auth List to see if your services support two-factor authentication. For a TOTP option, check out Authy, my chosen TOTP method. If you’re more inclined to using security tokens, Yubico have some great options and if you don’t like it, you can make your own security key.
That’s all for now. Share this post if you found it useful and until next time, seize the means of computation.
Wanna see what I’ve got lined up? Watch the Trello Board here.
Have an opinion about me? Let me know what you think here.
The links are no longer active.