If you haven’t read I Have a Password System, and you don’t feel confident with how you manage your passwords, I recommend reading that before you come back to read the rest of this. Two Factor Authentication (2FA) is when access to something is protected by more than just one factor of authentication, for example a password. When you use a username and password, as well as an additional factor of authentication, such as a code you receive via email or SMS, you’ve got yourself Two Factor Authentication (2FA). If you had more than two factors, technically that would be Multi Factor Authentication (MFA), but the two terms are usually used interchangeably, and I’ll just refer to it as 2FA going forward.

Why 2FA?

2FA is one of the most important aspects of staying secure online, alongside strong passwords. One could argue that using 2FA is more important than having strong passwords, but I would recommend getting both of these areas figured out and locked down in order to protect yourself online. There is a movement towards “passwordless” authentication which will drastically improve the average internet user’s security online - but we’ll cover that another time.

2FA makes it much harder for attackers to break into an account because in addition to obtaining your password, they have to gain access to an additional piece of information to break into your account. While it’s true that using 2FA makes things a bit inconvenient for you, it makes the attacker’s endeavors to compromise your accounts disproportionately harder.

Types of 2FA

2FA adds a layer of protection beyond having a strong password, but not all forms of 2FA are created equal. This is not an exhaustive list by any means, but focuses on some of the commonly used methods of 2FA you will find available with services you use online.

SMS

One frequent type of 2FA is a code that is sent to the user via a phone number. This is one of the weakest forms of 2FA as it is susceptible to an attack known as “SIM Swapping”, in which malicious actors gain control of your phone number in order to get access to 2FA codes. It may seem like a difficult thing to pull off, but SIM Swapping is extremely common. It is a huge problem because telecom companies are susceptible to social engineering. There can also be insiders within large telecom companies that get paid by malicious actors to port numbers. In fact, there is a whole dark market economy based around SIM Swapping numbers. You can learn more about this in the Darknet Diaries Episode 112, which I highly recommend listening to (you can skip to around 45 minutes in if you don’t have time to listen to the entire episode).

Email

Many sites offer email based 2FA, where a code or magic link is sent to your email as a second factor of authentication. This type of 2FA is reasonably secure, as long as the email itself is adequately protected. While this isn’t the strongest form of 2FA, it is arguably better than SMS, as long as the email itself is protected by something stronger like TOTP or FIDO. It is essential that your email is protected with the strongest type of 2FA available, as emails usually contain sensitive information, and are used to recover access to accounts. If an attacker gains control of your email, you’re in trouble.

Push Notification

This type of 2FA relies on applications which receive push notifications, allowing the user to approve authentication requests. This form of 2FA is quite strong, but still susceptible to an attack called “MFA Bombing” in which the attacker simply keeps sending requests to a user’s device until one of them is approved, often by accident.

TOTP

TOTP stands for “Time-Based One Time Password.” This is one of the better types of 2FA available. Applications that support this protocol are Yubico Authenticator, Authy, Microsoft Authenticator, Google Authenticator, Veripal (which I wrote), and many more. This method is better than SMS based 2FA, but is still susceptible to phishing. If the device with the TOTP application is compromised, your TOTP codes could be stolen.

FIDO

FIDO is one of the strongest forms of 2FA available, and also a technology that is aiming to replace passwords. FIDO is superior to virtually all types of authentication currently available. The reason it is so powerful is because it is resistant to phishing, which is not the case for most other types of 2FA. The cryptography it uses is also superior (asymmetric cryptography). To leverage it, you can purchase a “security key” such as YubiKey, Titan Security Key, and more and more devices use their built in TPMs to support FIDO, such as Apple’s Passkeys. Some cryptocurrency hardware wallets like Ledger and Trezor support FIDO as well!

Summary

To put it all together, the most important thing to understand is that 2FA should be used wherever available. If SMS is the only type of 2FA available for a service, it should be used. SMS is better than nothing. When multiple options are available, refer to this approximate summary of the order of strength of 2FA types:

FIDO > TOTP > Push Notification > Email > SMS

Stay safe out there!