Two-Factor Authentication (2FA) Best Practices
Two-factor authentication (2FA) is hands-down the best way to increase online account security. It’s also true tighter security typically results in less convenience. Few things are more inconvenient than having your accounts hacked though, so let’s review the basics of authentication as well as 2FA shortcomings and best practices and a few tips to help reduce the chance of lockout.
Authentication factors
A good place to start is a review of authentication factors. There are three common strategies for identifying people:- Something you know: like a username and password, your first grade teachers name, where you were born, etc.
- Something you have: like a mobile app, a phone number, a key (digital or physical), etc.
- Something you are: like your face, fingerprints or any other biometrics.
Common 2FA mechanisms
Username and password (“something you know”) is almost always the first factor of authentication for access to web and mobile apps. Biometrics (“something you are”) have promise but still require open web standards with broad vendor support to see significant adoption online (the most promising option is the new W3C web authn standard. For the purpose of this blog we will focus on best practices for securing accounts with the most common forms of “something you have” 2FA, namely:- One-Time Passcodes (OTP): OTPs are by far the most common form of 2FA online. OTPs are a passcode (typically a string of numbers) that is valid for only one login session or transaction. The most common mechanisms for delivering OTPs to people are via phone–SMS, voice, & mobile apps–and physical OTP cards.
- FIDO Universal 2nd Factor (U2F) keys: U2F is an open authentication standard that uses strong public key cryptography to make a direct bind between a person’s U2F security key (like a Yubikey) and a user account in an authentication server. U2F protects against phishing, session hijacking, man-in-the-middle, and malware attacks, making it one of the strongest forms of authentication available on the Internet.
2FA shortcomings & best practices
There are a few common usability issues with “something you have” 2FA:- If you don’t have the “thing”, you are unable to pass authentication;
- If the device in use can’t support the 2FA mechanism, you are unable to pass authentication.
- If an account relies on only one 2FA mechanism there is a single point of failure;
- If a strong credential can be reset with a weaker one, like an email to an unsecured account, the strong security can be easily bypassed;
2FA tips & tricks
In addition to registering multiple credentials and types of credentials, here are a couple specific recommendations to make sure you can always pass 2FA:- When registering a phone number to secure an account, use a Google Voice number and/or a dedicated “burner phone” number instead of (or in addition to) your mobile phone number. Why? You don’t control your mobile phone number–your phone operator does.
- If you have a significant other (that you trust :), register one or more of their phone numbers and 2FA devices against your accounts. In case you lose access to your device(s), you can pass 2FA using your s/o’s device.