In my previous article, I discussed using password managers to enhance your security. Another crucial aspect to consider is using two-factor authentication (2FA). 2FA provides an additional layer of security for your accounts. In case your password becomes compromised and used without your permission, this second layer of authentication will prevent unauthorized access to your account, as it requires a new key. There are various forms of two-factor authentication available today, such as:
- Text/SMS messaging or voice calling
- Email login links, codes, or one-click logins
- Dedicated authentication applications
- Security keys like YubiKey
With the multitude of options available, choosing the right one may not always be in your control. Many popular applications have built-in features that handle authentication methods through dedicated applications or text-based services.
Authenticator Apps
Dedicated authentication applications store a special key, generated by scanning a QR code or copying a link, which displays a series of numbers. These codes change every 15 to 30 seconds and are used to authenticate when signing into services that use 2FA.
Popular applications for this include:
- Google Authenticator
- Twilio Authy
- Microsoft Authenticator
These work on your mobile phone. However, a notable issue with Google Authenticator is that codes are not backed up. If you were to uninstall or reset your phone, the authentication keys would be lost, causing significant problems when you need access to your accounts.
A good option would be to use an authenticator with the ability to backup codes and offer a bit more security. While the above options may provide the basics, here are a few that I would recommend using instead:
Aegis
Aegis is a free and open-source authenticator app available on Android through the Google Play Store and F-Droid. It offers added security compared to standard software, as tokens are not displayed as soon as you open the app.
Additionally, it allows you to export and import tokens between devices, making it convenient when switching phones. As an open-source app, you can review its codebase for transparency and security.
Learn more about Aegis by visting getaegis.app
2FAS
2FAS is my personal favorite, offering a seamless two-factor authentication experience on both Android and iOS. It also has a browser extension for Brave, Firefox, Opera, and more, allowing for quick access to 2FA codes in the browser.
Some notable features include:
- One-tap authentication
- Synchronization across devices
- Backup and restore capabilities
- biometric/passcode protection
- Offline functionality.
2FAS is open-source, free to use, and does not store any password or metadata, giving you peace of mind in terms of security and privacy. More features are in the works and you can learn more about them by visiting at 2fas.com
Raivo OTP
Raivo OTP is a lightweight, open-source, and free to use authenticator app that syncs across all your Apple devices. Built using Swift 5, it is a native app in the Apple ecosystem and works on both mobile devices and MacOS.
Notable features include:
- Exporting tokens
- Syncing with iCloud
- Customizing each one-time password (OTP).
You can learn more about Ravio OTP by visting raivo-otp.com
SMS Authentication
Text/SMS messaging is a method where the service sends a code to your device for login. The code typically comes from a short number, such as 5043, and provides an authentication code used to unlock your accounts.
Common Risks
This method is bound to a mobile number, which can pose a risk from a security threat known as SIM swapping. SIM swapping is when an attacker intercepts your SIM and gains access to your messages, making it a significant security concern for influential users who are more likely to be targeted by these types of attacks.
To prevent the risk of SIM swapping, you can:
- Set up and use a SIM pin or password
- Keep your device up to date
- Be aware of scam calls and text messages
- Use strong passwords on all your accounts
- Enable two-factor authentication.
Email Authentication
Email authentication can display a link or a code to enter for unlocking your account. This method is common and convenient for quick login, but is not widely used in all two-factor authentication setups. It is often used for password resetting and one-time logins.
There will always be risks when using email, so it's important to secure it and consider:
- Monitoring your account for unusual activity
- Ensuring the account uses a secure password
- Enabling two-factor authentication.
Security Keys
Security keys are a physical form of multi-factor authentication (MFA) that add an extra layer of security to online accounts. One popular solution is the YubiKey from Yubico, which can be inserted into USB ports or accessed wirelessly via NFC.
This method of authentication is more secure as it is a physical device that you have on hand, making it nearly impossible for attackers to compromise your accounts. Security keys eliminate the need for additional codes to authenticate, as once the key is verified on your account, no further authentication is required.
MFA is ideal for enterprise usage, as it integrates with WebAuth/FIDO and Smart Card/PIV authentication, protecting against common phishing attempts. Security keys will continue to be widely adopted by platforms and services as this technology evolves. You can learn more about security keys and their features by visiting Yubico.com
Summary
Two Factor Authentication (2FA) provides an extra layer of security to your online accounts, making it harder for attackers to access your personal information. With a variety of methods available, such as SMS, email, and authenticator apps, there is a solution that fits the needs of different users.
Security keys, like Yubico's YubiKey, are also an option for those who prefer a physical device for MFA. As passwords continue to become more complex, biometric data may become a more popular form of verification in the future.
Regardless of the method used, it is recommended to implement two-factor authentication (2FA) on important accounts, such as those related to finances, social media, and mobile/internet services. Don't let attackers take control of your accounts!