What Form of Two-Factor Authentication Should I Use?
Two-factor authentication is one of the most important ways to protect your accounts. Recently, however, some authentication methods such as SMS have been criticized for being vulnerable to hackers, which goes against the principle of “something you know and something you have.” We decided to take a look at the most common methods and rank them in terms of security.
While we’re talking about two-factor authentication (or 2FA) as a single feature, it actually comes in many different flavors, including SMS codes, email codes, authentication apps for your phone, or even a dongle. If you are using SMS right now, don’t panic. Any form of two-factor authentication is better than no two-factor authentication. Do not disable 2FA just to not use SMS.
However, the National Institute of Standards and Technology has published a study indicating that SMS is an old protocol with many potential vulnerabilities and should be replaced with safer methods. Companies are not required to follow NIST guidelines, but it can be expected that many will move away from SMS over time. If you have the opportunity, consider switching to something else now.
Authenticator apps like Authy and Google Authenticator are harder to set up but much more secure
The basic idea behind 2FA is to use what you know (password) and something you have (like your phone). Authentication apps like our beloved Authy turn your phone into “what you have” without involving anyone.
Here’s how it works: When you first set it up, your account creates a secure “seed” key that is sent to your phone via a QR code. This seed is then encrypted at both ends using the current time to generate a new code every 30 seconds or so. Only you and the server know the seed, so an attacker cannot predict what your next authentication code will be.
This has several advantages over SMS and email. For starters, you are the only one other than the server itself that can ever generate your codes. There is no email provider, cellular operator, or any other middleman. Codes are generated on your device and you only transmit them during the short 30 second window in which they are valid. Even if a hacker can intercept the message, it will be useless before they can do anything with it.
Most of the major services like Dropbox, Amazon, Evernote, and LastPass support these authentication apps, which is encouraging. However, these applications carry several minor risks. Third-party apps like Authy allow seed tokens to be synchronized across multiple devices, potentially giving an attacker the ability to swipe or lose control of a device you’re not looking at. There is also the possibility that an attacker could compromise the authentication service itself and gain access to the user’s initial keys, although if they do hack, they are more likely to look for more useful data. Overall, authenticators are technically the safest and least susceptible to hacking right now when you lose your device, leave your desk, or forget your password.
Security rating: 4/5: Authentication apps are the most secure option, eliminating user-generated risks.
One-button authentication is easier, but most services don’t support it yet
The newest two-factor blocking method is one-button authentication. It works the same way as the authentication app above, except you don’t have to manually copy the six-digit code from your phone into the text box. Just click “Yes, it’s me” and you’re done. Google and Blizzard are the two largest names currently working on this method.
The key difference between one-button authentication and authenticator apps is that codes are processed automatically, you don’t need to enter them. Blizzard will show you the code on your phone and ask if it matches the code on your computer. Google doesn’t show any code at all, but you might assume that if you get this message when you’re not trying to sign in to your account, you should probably turn it off.
At first glance, this method appears to be as secure as the generated codes in authentication applications, but it is still relatively new. Most services don’t even offer such an option, so for a while it might be wishful thinking on anything other than your Google account (or Battle.net account). However, if you prefer to make logging in easier, you can trust it. This is the same technology as the authentication apps you probably already use, just simplified.
Security rating: 4/5: More secure than SMS and email, but new and practically unsupported.
Codes sent by email are slightly safer than SMS, but cannot be controlled
Some services allow you to verify your username by emailing you a code. They are slightly safer than SMS codes, but they still have some drawbacks. First, your email provider becomes the weakest link. If someone can access your email account, they can get your 2FA codes directly. While some companies like Google are good at protecting your security (especially if your email account is 2FA locked), it still adds another potential break in the chain.
Email also suffers from many of the same user-generated problems as SMS codes. For example, how many devices and applications currently have access to your email account? For most, this is probably a phone, laptop or desktop computer, and possibly a tablet. You can also use third party services that have access to your email. An attacker who swipes your tablet or hacks into an old contacts app or calendar organizer that has access to your inbox could log into your accounts before you know what happened.
Email is slightly safer than SMS, but not by much. Most major email providers encrypt your messages while in transit , and you cannot “clone” your email account the way you can with a SIM card. However, attackers can still gain access to your email by attacking your email provider, third parties with access to your email, or by reading one of the many devices you are logged on to. Any service that you use on multiple devices probably won’t be the best way to get secure authentication codes that only you should receive. If you can use something else, you will probably be better off.
Safety rating: 2/5: Better than SMS if you have no other choice, but still not perfect.
SMS codes are ubiquitous but easy to hack
Sending SMS codes to your phone to verify your identity is easy, but the least secure two-factor authentication method. Simply put, 2FA assumes that you receive codes on a device that only you control. SMS as a protocol simply cannot guarantee this. A hacker can intercept text messages on their way to your device, or clone your phone’s SIM card and disguise themselves as you to gain access to all of your accounts. Since carriers are also involved, there is even the possibility that someone could convince them to transfer your number to another device that they control before you even realize what happened. All of these methods are complex, but easier to hack than other 2FA methods.
These are simply risks inherent in SMS. In practice, many of us use applications to read SMS messages. Google Voice and MightyText organize and send texts to other computers. Some carriers still support sending and receiving SMS from your email account . Pushbullet and even Windows 10 can display your messages to another computer. These tools are not secure, but they offer more attack vectors for those who really need your authentication codes. Many of us (myself included) accept this trade-off, but it undermines the key principle of 2FA messaging: you and only you have this code. If the service only supports SMS-based two-factor authentication, that’s better than nothing, but you should use something else whenever possible.
Safety rating: 1/5: only use if no other 2FA method is available.
These are not the only methods available. We haven’t touched on automatic phone calls, which suffer from many of the same shortcomings as SMS or hardware keys that most people won’t use, but these are the most popular options available for most services. Remember, there is no perfect security solution, but some methods are better than others. We’re still trying to get most sites to enable 2FA at all, let alone use the best method. However, if you have a choice, choose the best and safest option you have. …