This is part of the VPNCity Best Practices articles where we will explain along the way the “What”, “How” and “Why” the best practices will improve your security and privacy in your day-to-day life while helping you understand the technology, dispel the myths and give you the tools to understand why your personal privacy and security is in your hands. This part concentrates on two factor authentication aka 2FA, why you should enable it and which type to use.
Two Factor Authentication is a secondary authentication system utilised in combination with your username and password and allows a system to authenticate that you are the account owner and allow access. 2FA is becoming more commonplace due to the large number of data breaches, recurrent passwords and leaked personal details.
2FA can be delivered in multiple fashions:
- SMS/Email Messaging:
- The service you are trying to access will send a text message with a verification code
- Software Authenticator
- The service you are trying to access will require a time derived verification code. This is typically Google Authenticator, however some companies offer their own authenticators (such as Blizzard). This will be software typically installed on a smart phone.
- Hardware Authenticator
- The service you are trying to access will require a button press on a hardware device such as a Yubikey or RSA SecurID.
- Biometric
- Some services can be configured to perform 2FA via biometric data such as a fingerprint or retina scan.
Each system has strengths and weaknesses, benefits and drawbacks.
1. Via SMS/Phonecall:
This is the most widely used method to implement Two Factor Authentication. In this method, a one-time passcode (OTP) is sent to users mobile number as an SMS text message or phone call to verify their identity.
Pros of SMS 2FA:
- Easy to implement and user-friendly.
- Since 2FA is done through SMS, every user can avail this security feature.
Cons of SMS 2FA:
- Phone reception is the major factor to require SMS OTP (One-Time Password).
- You no longer can’t authenticate in the case of loss of or damage to the device
- In rare cases, malicious entities can clones your sim card could access any verification messages.
2. Via Email:
Two Factor Authentication via email another common method used by the majority of users to get access to online accounts. Same as SMS or phone call, here also user gets an OTP or secret code via email to claim their identity. Sometimes, instead of a passcode, simply clicking a unique link in the email also grants access to the accounts.
Pros of Email 2FA:
- User-friendly and easy to implement.
- Available to both computers and phones.
Cons of Email 2FA:
- Unlike SMS/Phone call, the internet is required to receive 2FA code.
- Email delivery is another problem. Chances are there the mail may go to spam or get lost by server problem.
- If hackers compromised your email accounts, then they could also access your 2FA implemented social account too.
3. Via Software:
In this method, users have to install an application on their computer or smartphone to get 2FA code. This software dynamically generates tokens for the user that last a brief period of time. Apps like Google Authenticator, or Blizzard Authenticator are some examples of software.
Pros of Software 2FA:
- User-friendly and easy to implement.
- You don’t have to wait to receive a passcode via email or SMS as its already auto-generated in authenticator application.
- Cross-platform support — some authenticator app like Authy also works both in smartphone and computers. So even though if you lost your smartphone, you can still get the 2FA token by using the app on your computer.
Cons of Software 2FA:
- Not available to every user, since it requires smartphone or computer.
- Anyone access your phone or computer could compromise your account.
4. Via Hardware:
In this method, 2FA token is generated with the help of a hardware device — key fob or dongle. These are typically Yubikeys or RSA Keytags. A yubikey is plugged in and the button pushed, whereas the RSA Keytag will display a changing time code.
Pros of Hardware 2FA:
- Easy to implement.
- No internet connection required.
- Most secure 2FA method.
Cons of Hardware 2FA:
- Expensive to set up and maintain.
- Devices can be easily misplaced, forgotten and lost
6. Via Biometric:
In biometric verification, the actual user becomes the token. Typically a fingerprint, however a retina, voice or facial recognition is possible, becomes the 2FA token to claim your identity to get access to your account.
Pros of Biometric 2FA:
- Most secure 2FA method.
- Since yourself being the token makes this method user-friendly.
- No internet connection required.
Cons of Biometric 2FA:
- Storage of your biometric data on other servers arises privacy problems.
- The requirement of special devices like scanners, cameras needed for this method.
So which is the best 2FA system?
Whilst biometric 2FA would be the most convenient system for people, it carries with it some issues. Like a password, a Two-Factor Authenticator should be changeable for security reasons, but biometric data cannot be changed. Additionally biometric data is not currently protected like a password is, especially in the United States or United Kingdom. This means you do not have the same legal protection as utilising a password. Other 2FA systems provide passwords and as such would be protected under legislation (thus meaning a court order would be needed to access the data in question by law enforcement who are investigating a crime). As SMS, Email and Software authenticators all require access to 3rd party software, these often require some kind of connectivity, which may not always be possible.
As a result, the Best Practice for utilising 2FA is to utilise a hardware authenticator. Most businesses requiring enhanced security will utilise hardware authenticators as they offer the most security with RSA SecurID being standard high security industries such as communications, defence, and military.
For transparency, I utilise a Yubikey as my 2FA wherever possible and Google Authenticator if Yubikey is not available.
