Two-factor authentication (2FA) is one of the most important ways to protect your online accounts. However, some authentication methods have come under fire for unfathomable vulnerabilities – defeating the object of implementing it in the first place.
We’re talking about two-factor authentication as though it’s a single feature, but it actually comes under many guises, including SMS codes, email codes, authenticator apps, and hardware keys.
The idea behind 2FA is to mix something you already know (your password) and something you have to hand (your phone, computer) in order to double down on security.
Having SMS codes sent to your phone is probably the easiest way of implementing 2FA, but it’s also the least secure.
2FA assumes that codes are sent to a device that only you have control over, but it’s quite difficult to guarantee this.
It may sound farfetched, but an attacker can potentially intercept messages, or clone your SIM card – masquerading as you to gain access to your account. When you add in network involvement, there’s the possibility that someone could convince them to transfer your number to another device that they control. This can be done soc quickly that you probably won’t even realise it’s happened. These methods have been used before, and they’re a lot easier for attackers compared to other 2FA methods.
If a service you use only supports SMS codes, it’s better than nothing, but you should try to use something else if you can.
Some services will allow you to confirm your identity by emailing a code to you. These are generally safer than SMS codes, but they still suffer from similar weaknesses.
Encryption and your email provider are the weak links in the case of email codes. And once again, if someone gains access to your emails, they can access your 2FA codes too.
Email codes are slightly more secure than those sent via SMS, but only just. If you’re in a position to use something else, you’re better off doing so.
Authentication apps blend the “something you know” with the “something you have to hand” without involving others along the way.
Here’s how: When you set an authentication app up, your account creates a secure key that it shares with your phone via a QR code. That key is then encrypted on both ends – allowing you to generate a new code every 30 seconds or so. Only you and the server know the key, so an attacker can’t predict what your next code will be.
This has a number of advantages over SMS and email. For starters, you’re the only one aside from the server itself that ever has the ability to generate codes. There’s no email provider, no ISP, or other middle-man. The codes are generated on your device and you only transmit them during that brief, 30-second window. Even if a hacker could intercept the message, it would be useless before they could do anything with it.
Most major services support authentication apps, which is encouraging. All in all, authenticators are the most secure right now, and the least prone to being compromised when you lose a device, walk away from your desk, or forget a password.
Security, not convenience
There’s no perfect solution when it comes to security (and we’ve only really scratched the surface in this post), but some methods are better than others. Many sites have yet to even enable two-factor authentication at all, much less use the best method.
You may find that you have to trade-off security and convenience in order to keep your accounts secure. If that’s the case, pick the best, most secure option from what’s on offer. In all honesty, any form of 2FA is better than none at all.