Two-factor authentication (2FA) is hands-down the best way to increase online account security. It’s also true tighter security typically results in less convenience. Few things are more inconvenient than having your accounts hacked though, so let’s review the basics of authentication as well as 2FA shortcomings and best practices and a few tips to help reduce the chance of lockout.
A good place to start is a review of authentication factors. There are three common strategies for identifying people:
By definition, 2FA means using two of the above strategies for person identification.
Username and password (“something you know”) is almost always the first factor of authentication for access to web and mobile apps. Biometrics (“something you are”) have promise but still require open web standards with broad vendor support to see significant adoption online (the most promising option is the new W3C web authn standard. For the purpose of this blog we will focus on best practices for securing accounts with the most common forms of “something you have” 2FA, namely:
There are a few common usability issues with “something you have” 2FA:
2FA mechanisms should be thought of like tools in an authentication tool belt–the more ways you can securely identify yourself, the better prepared you are to handle edge cases like when you lose your phone.
Consider the variety of 2FA mechanisms that can be enrolled to secure a Google account. Of course you could have 10 different strong credentials and still find yourself without one when needed. But to increase security and reduce the chance of lockout, the best practice for “something you have” 2FA is clear: register multiple phone numbers, mobile apps, and U2F security keys wherever possible to safeguard your accounts.
Having more strong credentials at your disposal offers greater situational convenience and backups when the primary credential is unavailable.
In addition to registering multiple credentials and types of credentials, here are a couple specific recommendations to make sure you can always pass 2FA:
So which websites support strong and flexible account security… As noted above, Google for sure. GitHub, Facebook, Stripe and other large providers also support “self-service” 2FA, allowing people to enroll and manage many phone numbers, apps, and keys to secure their account.