Two-Factor Authentication

Two-factor Authentication (2FA) or Multi-Factor Authentication is the ability to use at least two forms of authentication for a login. This adds an extra layer of security to your accounts for very little effort applied. This post will cover some of the methods available for client-side 2FA, as well as the pros and cons of each method. Implementing server-side 2FA will come in a later post, and will provide a more in depth look at setting up things like TOTP, SMS, and Email on the server-side.

The most common method as a second form of authentication is SMS, where a code is sent to a phone number that was specified when setting up 2FA. The next most common methods would be a phone call or an email. But probably the best methods would be the use of a hardware token or a software token. Let’s take a look at the methods available and their advantages and disadvantages.

SMS

SMS is the most common method available, but it has some strongly mixed opinions because of its disadvantages.

The main advantage of SMS-based 2FA is that it’s something already available to you, there is no need to download any apps, or setup hardware tokens, and if you don’t have a smart phone it’s really the only readily available option as a lot of websites do not support hardware tokens. SMS-based 2FA also has the inherent ability to alert you if someone is trying to access your account since you’ll be receiving a message with a code.

One of the common complaints against SMS-based 2FA is that someone could hijack your SMSes by making use of a SIM swap, where someone uses social engineering methods to convince a wireless provider that they are you and order a replacement SIM card. Once they insert the SIM in their phone and activate, yours will essentially be deactivated and all phone calls and messages will go to them instead – this of course includes any 2FA codes. Aside from that, NIST has declared that this method is finished and is no longer a viable option. The last disadvantage is that if you don’t have cell service or if your phone gets lost or stolen then you’re pretty much out of luck and will have to use one of the backup/recovery codes you hopefully saved when setting up 2FA on an account.

Personally I would say that it is much better to use at least SMS-based 2FA even with the disadvantages because some form of 2FA is better than nothing at all, and let’s be real here, most people won’t have to worry about someone doing a SIM swap against them.

Phone Call

Receiving a code via a phone call is next in line, and it actually shares a lot of similarity with SMS in terms of advantages and disadvantages so I’ll keep this methods synopsis brief. Just like SMS, the ability to receive a phone call is something that requires no additional setup as it is just built into your phone. Call-based 2FA also has the ability to alert you if someone tries to access an account since you will receive a phone call with an authentication code. This of course also means that if someone did a SIM swap that this method will also be a failure.

Email

Email is the next in line, though it should be noted this method is relatively uncommon so I won’t spend too much time on this method either. There isn’t much to say about using email as a 2FA method, other than you’ll need to have access to your email account to get the login code. So if you have no signal and aren’t connected to WiFI, you will not be getting your codes. In addition, if you don’t own a smartphone, than you’ll have to use a computer to access your email to get the code, which is just inconvenient. Because at the end of the day security must be convenient or nobody will want to use it, which is why I feel most sites don’t offer this method, and for the sites that do offer it I would not recommend using it.

Hardware Token

Now we’re starting to get to the bread and butter of 2FA, starting with hardware tokens. A hardware token is a physical device that you would carry with you, likely on your keyring. The main type of hardware token is one that generates a random code at a set time-interval¬† (usually 20 or 30 seconds) like RSA’s SecurID. The other type is a USB authentication key, where you plug in a USB key, like a Yubikey, which provides various methods of authentication like One-time-password, smart cards, and FIDO U2F; there are also USB keys that support NFC for use with mobile devices.

Out of all of the options available, hardware tokens are likely the most secure method available for 2FA. But this, of course, has the primary disadvantage of being able to lose it. Unless you keep this on a keyring or somewhere safe and secure, you can very easily lose the device, or it could be stolen. Theft isn’t a huge issue because there is no PII or credentials on the devices, but it is recommended to keep a backup device that can be used in the case of this happening. The only time theft is a real issue is when the thief already knows they need your token for an account they’re trying to access.

Software Token

Last but least we have software tokens, which is essentially the use of push notifications from an app or codes generated in an app. Out of all the methods available, this is likely the most readily available option and should be the one you aim for. As I mentioned before, most sites don’t offer Hardware Tokens as an option for 2FA, but quite a few offer the use of Software Tokens.

The primary option you’ll see will likely be Google’s Authenticator app which is available for both iOS and Android devices, and works like most other authenticator apps in that you scan a QR code generated during the 2FA setup process, then enter the 6 digit code it generates into the setup and verify it is correct. But the main disadvantage of using the Google Authenticator app is that it is device dependent, if you upgrade to a new phone you will have to log into each account, turn 2FA off, then turn it back on and set it up again on the new phone. In addition, if you lose your phone then you’re out of luck and will have to use the backup/recovery codes that you should have saved when setting up 2FA on each of your accounts.

But don’t fret, as another option available is Authy, which is the app that I use personally. Authy is another app that is available for both iOS and Android, but it is not device dependent, so if you upgrade or lose your phone all you have to do is download the app on a new device and sign into your Authy account and all of your login codes will still be there if you have Authenticator Backups enabled (which you should absolutely enable and use a strong password on). I highly recommend setting up the Protection PIN in the app as well.


That about sums it up, if you have any further questions please feel free to comment below and I’ll respond as soon as I can and answer to the best of my abilities. To see what sites offer 2FA, I recommend checking out https://twofactorauth.org/ for a well-maintained list of sites and the status of their 2FA offerings.

 

Written By jamesmontour

James Montour is a Systems Administrator and information security enthusiast living in the US. His skills include Active Directory Administration, Database Administration, Network Administration, Automation/Scripting, Windows Server Management, and IT Compliance.