Two-factor authentication (2fa), two-step login, or more broadly multi-factor authentication is the method of confirming a user’s identity, and giving them access only after they’re successfully presenting two or more pieces of evidence or factors:
- Knowledge: something they know (password, pin, passphrase)
- Possession: something they have (SMS, push notifications, software or hardware tokens)
- Inherence: something they are (iris, fingerprint, voice)
- Location: somewhere they are (GPS coordinates)
Using some sort of two-factor authentication is usually recommended because passwords are broken (use a password manager) — people tend to pick horrible passwords, and sometimes just use the same password all over the place, companies fail to store them correctly, and then their databases get leaked.
Worst of all, if someone’s looking over your shoulder as you type it in (literally or metaphorically), you are hosed!
Two-factor tries to solve this problem by asking for a second factor, most of the online apps and services like Google, Facebook, Microsoft, Apple allows you to set up a two-factor authentication via a combination of one of the above mentioned factors.
There are lots of ways to go around implementing second factor to your online apps and services, these are the most common ways of implementing two-step login:
SMS / Calls: OTP
OTPs or One Time Passwords are the most popular way of using two-factor authentication. It is usually deployed by your bank — the OTP you receive on your phone to complete a debit/credit card transaction.
I recommend against receiving your OTPs on your phone via SMS or calls as they are vulnerable to attacks, and are sent via unencrypted mediums.
Authenticator Apps: TOTP / HOTP
TOTP (Time-based OTP) or HOTP (HMAC-based OTP) are another way of doing your two-factor authentication. They work by creating an algorithm that can work with an “Authenticator App” to generate a one time password that is valid for 30 seconds.
I recommend using this over receiving OTPs via calls or text any day, they are way much secure, and work even if you don’t have any internet connection or even cell network:
- TOTP codes are unique & unguessable, its strength is determined by the server, not the user; and if implemented correctly, are long random strings that cannot be obtained through guesswork or brute forcing.
- TOTP codes are never transmitted during authentication, so the Man-in-the-Middle attack vector is out of equation; these codes are determined by an algorithm on your device.
Security Keys or Tokens are the pinnacle of two-factor authentication, usually used by enterprise, where you need to have a physical device usually a USB device or smart cards that you need to insert in the computer where you are trying to sign in.
It’s pretty secure, phishing-proof, and usually work by generating a digital signature, or biometric data, like fingerprints from cryptographic keys that are stored in them. Tokens that use Universal Second Factor (U2F), supported by the FIDO Alliance are increasingly becoming a popular choice due to their browser support for popular websites & social media sites. Learn More.
There are different kinds of security tokens, like smart cards, and even contactless ones like Bluetooth & NFC Tokens. I would highly recommend you use it wherever you can, especially on high target accounts like your password manager, online bank, etc.
Backup Codes as the name suggests is simplest out of all, where you are given a bunch of randomly generated backup codes that can be used for two-step verification.
Most of the apps and services would require you to use one of the above methods first before allowing you to use backup codes for 2fa, nonetheless it comes really handy when you don’t have access to any of your device and the internet.
Security Prompts or Push-based 2FA are a new way of implementing two-step verification, that i have seen being implemented by Google. They send you a prompt on the android device where you are logged in whenever you try to log in on another device, asking for confirmation.
It’s a pretty nifty idea, no need of any code generation or sending it over an unencrypted medium or any of that fuss; just tap yes if it’s you. But, it works only when your phone is connected to the internet, i would still recommend having a backup in the form of an authenticator or backup codes.
How to Set up Two-factor authentication?
You can choose any of the above mentioned methods, i would recommend choosing an authenticator app or a security key, coupled with backup codes for optimum security and ease of use.
Setting up two-factor is pretty straight-forward; first check if your apps and services support 2FA by visiting twofactorauth.org.
Then, click on the Docs link, which will redirect you to specific sites explaining how you can set up two-step login on your accounts.
You can also check out 12 Days of 2FA by Electronic Frontier Foundation, that explains how you can enable 2FA on common services like Amazon, Bank of America, Dropbox, Facebook, Gmail and Google, LinkedIn, Outlook.com and Microsoft, PayPal, Slack, Twitter, and Yahoo Mail.
These are all the apps & hardware tokens that i recommend when opting for two-step verification on your online accounts. I recommend using an Authenticator App and/or a Security Token, coupled with backup codes for most people.
These are 2FA apps that use TOTP / HOTP algorithms to generate OTP for your online accounts. You just need to scan the QR codes and to register, all the recommended ones here are open source and free to use.
Aegis is my authenticator app of choice for android devices, this is what i use and recommend for most people. It is a beautiful, free, secure and open source two-factor authentication app, with support for both TOTP & HOTP algorithms, to manage your 2-step verification tokens for your online services in a breeze.
Aegis lets you lock your vault via passwords and supports fingerprints too, which encrypts your vault with AES-256. It supports easy import and exports of your vault for hassle-free switching across devices & authenticator apps like AndOTP & FreeOTP.
Tofu is a free, easy-to-use, and open-source two-factor authentication app designed specifically for iOS. It has a very simple yet intuitive interface that uses HOTP and TOTP algorithms to generate OTPs for your online accounts, that are stored securely in encrypted form on iOS keychain.
andOTP is another free and open source two-factor authentication app for Android. It has sleek minimalistic material design, with support for both TOTP & HOTP. You can choose between Android KeyStore or Password / PIN for encrypted storage of your vault, it supports backups and easy import and exports.
Authenticator by Matt Rubin is a simple, free, and open source two-factor authentication app for your iPhone, that grew out of the abandoned source for Google Authenticator for iOS. It has a very minimalistic design, with support for both HOTP & TOTP algorithms, it stores all your data encrypted on the iOS keychain.
LibreOTP is free and open source authenticator web app, that works on your browser — no need to install anything. Just go to libreotp.app and scan QR codes to get started. It doesn’t need internet to work, just like other apps mentioned above — it’s a Progressive Web App (PWA)!
It works on all kinds of devices be it Android, iOS, Windows, Linux, anything with a web browser, you can save the website to your home screen and use it to launch LibreOTP on your device. It is fairly new, doesn’t have a lot of features, but works flawlessly.
Your Password Manager
Most of the Password Managers have built-in authenticator apps that can be used to store and generate OTPs for your online accounts. However, a lot of security pundits don’t recommend using your password manager for storing TOTP / HOTP codes as it means you are “putting all your eggs in one basket”.
Honestly, if you are using a secure and open source password managers, they are already pretty secure and whether you should store your 2FA codes in your password managers really depends on your threat model.
Yes, storing your 2FA codes in your password manager decreases your security, but storing them in a separate app does come with the cost of inconvenience.
I would recommend using a separate authenticator app or a security token for your high priority accounts like banks, and using your password manager for storing ones that you frequently use like social media and stuff.
Backup Your 2FA Codes
Whatever app you choose for storing and generating 2FA codes, do a regular backup of your vault in an encrypted format and store it somewhere safe.
Security Tokens or FIDO U2F is a relatively new style of 2FA, typically using small USB, NFC or Bluetooth Low Energy (BTLE) devices often called “security keys” that recognized the site you are on and responds with a code (a signed challenge) that is specific to that site.
Nitrokey uses open source hardware and software to securely store your security keys, they have multiple devices to choose from that support U2F. The devices are tamper-proof to protect from loss and theft.
SoloKeys is the first open source FIDO2 security key, that uses open source hardware and firmware & FIDO2 standard to securely store your security keys.
U2F Zero is a secure and open source USB token. Designed to be affordable and reliable.
Krypton implements the standardized FIDO Universal 2nd Factor (U2F) protocol to provide secure, un-phishable two-factor authentication on the web, using just your phone.
It’s a pretty amazing idea where you use your phone as the security key to authorize logins to most of the popular sites like Google, Facebook, Dropbox, GitHub, etc.
- Two Factor Auth: List of websites that support different implementations of 2FA along with resources to set up 2FA.
- Dongle Auth: List of websites that support FIDO U2F along with resources to set up your own security devices.
Two-step verification adds another layer of protection between your personal data and the password, so if a bad guy hacks through your password layer, he’ll still need your 2FA codes or security keys to get into your account.
However, what neither a two-step verification or a super strong password won’t protect is a database leak, make sure you use trusted apps and services, and use strong, unique passwords.
That’s all Folks!