An explanation of two factor authentication

Two-factor authentication (2FA) is a security measure used to protect user accounts from unauthorized access. It requires users to provide two forms of identification before they can access their accounts. 2FA is essential to prevent unauthorized access to sensitive information and personal data. In this blog post, we will explore the different methods of 2FA and compare them from a security perspective. We will also discuss backup codes and why they are essential.

Methods of Two-Factor Authentication

There are several methods of 2FA, each with its own advantages and disadvantages. The following are some of the most commonly used methods:

1. SMS Authentication: SMS authentication involves sending a unique code to a user’s phone number. The user must enter the code into the login screen to access their account. This method is easy to use and widely available, but it is not very secure. SMS messages can be intercepted or redirected, and it is possible for attackers to gain access to a user’s phone number.
   
2. Authenticator Apps: Authenticator apps generate time-sensitive codes that users must enter into the login screen. These codes are based on a shared secret key between the app and the service being accessed. This method is more secure than SMS authentication, as the code is generated on a separate device and cannot be intercepted or redirected. Popular authenticator apps include Google Authenticator, Authy, and, my favorite, 1Password.
   
3. Hardware Tokens: Hardware tokens are physical devices that generate time-sensitive codes. They are similar to authenticator apps, but they do not rely on a separate device. Instead, the user must plug the token into their computer or mobile device and enter the code displayed on the token. This method is very secure, but it can be a bit expensive. My favorite is Yubikey.
   
4. Biometric Authentication: Biometric authentication uses unique physical characteristics, such as fingerprints or facial recognition, to verify a user’s identity. This method is easy to use and secure, but it requires hardware that supports biometric authentication.
   

Security Comparison

Each method of 2FA has its own advantages and disadvantages, and the security of each method depends on several factors. SMS authentication is the least secure method, as it is vulnerable to interception and redirection. Some common ways that this method of 2FA can be compromised include

1- SIM card swapping

2- Phone cloning

3- SMS vulnerability exploits

Authenticator apps are next up the hierarchy, they are more secure than SMS authentication. But since they are software applications, they are also vulnerable to software exploits. Either in the OS they are hosted on, the libraries they use or their own code. There are many paths to compromise them. But they are more secure than SMS.

Hardware tokens are more secure, as they do not have any software component to be compromised. To the best of my knowledge, no hardware 2FA has been compromised until now. Biometric authentication is also secure, but it requires hardware that supports biometric identification.

Backup Codes

Many friends and family members who are new to 2FA ask me what the backup codes they receive when they activate 2FA are. They are one-time use codes that can be used to access an account if the primary 2FA method is unavailable. They are essential in case a user loses their phone or hardware token. So for example, if you use hardware keys as your primary method of authentication, and you lose your key, you can use one of these codes to get into your account and setup an alternative method of 2FA.

Please note that these codes are typically one-time use. This means after you have used a code to access your account, it becomes useless. Delete it. Most services allow you to re-generate a new set of backup codes when you deplete your initial set.

You should keep backup codes in a safe place, such as a password manager or a secure physical location. If you just store them in a file on your computer, anyone can use them to access your accounts — defeating the purpose of 2FA. The attacker doesn’t have to be physically at your computer to do this, they can get the file over the network. Also, definitely do not store this file on the cloud, unless you want employees of the cloud service to be able to access your accounts!

Conclusion

Two-factor authentication is an essential security measure that helps protect user accounts from unauthorized access. There are several methods of 2FA, each with its own advantages and disadvantages. SMS authentication is the least secure method, while hardware tokens are the most secure but can be expensive to use. Authenticator apps and biometric authentication are also secure and easy to use. Backup codes are essential in case the primary 2FA method is unavailable. Users should choose the 2FA method that best suits their needs and keep backup codes in a safe place.