Getting Started with Multi-Factor Authentication (2FA/MFA)

In the post, I covered the importance of password managers. While ensuring that you don't reuse passwords significantly improves your security posture.

It’s still possible for hackers to figure out the specific password, so it’s always better to use an additional factor of authentication.

In this post, I'll cover the different 2FA methods that you should use on all accounts where it’s possible.

Authenticator applications for TOTP

One of the most common 2FA methods is time-based one-time password, aka TOTP. A unique password is being generated with a standardized algorithm that uses the current time as input.

The great thing about app based TOTP is that it can be used offline (for example, on a standalone offline device).

Two of the most popular options for authenticator apps are Google Authenticator and Twilio Authy.

Since these apps will be installed on your mobile device, then make sure to keep the device updated & secure.

In fact, many people use another disconnected smartphone just for the 2FA. ****

SMS based 2FA

Probably the most common and often default 2FA option is using SMS to send authentication codes. Since everyone has a phone number and the capability to receive SMS messages, it’s arguably the easiest 2FA option available.

Unfortunately, convenience and security do not blend very well. First, SMS is not by any means a very secure communication channel, and, making matters even worse, you rely on the security processes of telcos who hand out phone numbers in the first place.

The hacker can either convince they are you and get your number assigned to their SIM card, or use third-party unregulated services to reroute SMS messages to them.

While the different methods come and go, SIM swap’ing specifically remains incredibly effective and a very common technique in hackers' arsenal.

Hardware-based 2FA

Using a completely separate hardware as your second factor of authentication is considered the most secure way – and, unsurprisingly, the least convenient.

You can use a U2F key, which you plug in into your device in the form of a small USB stick which then gives the 2FA code for your authentication.

The most popular company offering U2F keys is Yubico. They offer USB-A, USB-C, Thunderbolt, and even NFC-based keys.

You should always connect multiple keys to your account (one as a backup), so what you need to consider is that this is the most expensive form of a 2FA setup, as each key will cost you from $25 to $100 USD.

Conclusion

In my opinion, 2FA should be enforced in most places.

If you’re ready to sacrifice convenience for the strongest possible security, then get some YubiKeys – depending on your workflows, it might not be that inconvenient at all (I don’t think it’s that bad).

If you’re looking for a free option, then settle for a TOTP-based authenticator app such as Google Authenticator.

Lastly, any second factor is better than a single factor, so if nothing else is available, keep the SMS based 2FA on – just keep in mind that it’s not as secure as the other options and replace it with at least TOTP based app as soon as it becomes available.