Security Technology Explained

The Pros and Cons of Two-Factor Authentication Types and Methods

Ben Stegner Updated 15-04-2020

You’ve hopefully heard about the benefits of two-factor authentication. Requiring something beyond just a password to unlock your online accounts makes them much harder to break into.


However, two-factor authentication comes in several forms, with some faring better than others. When you have an option, which should you choose? Let’s look at the pros and cons of two-factor authentication methods to find out.

Two-Factor Authentication vs. Two-Step Authentication

Before diving in, let’s take a quick moment to clear up the differences between two-factor authentication and two-step authentication. They’re similar, but not identical.

Two-factor authentication is when you protect an account with two different types of authorization methods. A factor can be one of the following:

  • Something you know: This includes a piece of information, like a password or security question.
  • Something you have: For example, your smartphone or another physical device.
  • Something you are: A factor unique to your body, such as your fingerprint or iris.

True two-factor authentication means you must unlock two checks from different factors before you can log in. If your account is protected by two locks of the same factor, this is called two-step authentication.

For example, a password and security question are both something you know, making this kind of authentication two-step but not two-factor. This still provides better protection than a password alone, but proper two-factor authentication is preferable.


Two-factor authentication is a type of two-step authentication, but it’s not true the other way around.

Method 1: Security Questions

Security Questions

You’re probably familiar with this method: when creating an account, you choose one or more security questions and set answers for each one. When logging into that account in the future, you have to provide the right answer to each question to validate your access.

Pros of Security Questions

Security questions are extremely easy to set up. Most of the time, the service provides a dropdown menu of questions—all you have to do is pick a few and give the answer. You don’t need any other equipment or devices; the answer is stored in your head.


Cons of Security Questions

Many security question answers are easy to dig up. People can find information like your father’s middle name or the street you grew up on in public records or on social media. It’s also easy to accidentally divulge this sensitive info through social engineering, like phishing emails or phone calls.

To get around the weaknesses of security questions, you can enter a gibberish answer to effectively make it a second password. But you must be careful that you don’t lose or forget that—storing it in your password manager 7 Reasons You Should Be Using a Password Manager Can't remember passwords? Want to secure your online accounts? Here are several key reasons why you need a password manager. Read More is a good idea.

Method 2: SMS or Email Messages

Email Security Code

For this type of two-factor authentication, you provide your mobile phone number when creating an account. When you want to log in, the service sends you a text message via SMS (or email, alternatively).


This has a temporary verification code that expires before long. You have to input the string to finish logging in.

Advantages of SMS Two-Step Authentication

SMS messages (and email) are convenient because nearly everyone has access to them. Usually the messages arrive instantly, or at most in a few minutes. If you ever lose your device, you can usually transfer your phone number to avoid getting permanently locked out.

Disadvantages of SMS Two-Step Authentication

You have to trust the service enough to share your phone number, as some disreputable services may use your number for advertising purposes. Another issue is that you can’t receive the text containing your login code if you don’t have cellular service.

Additionally, SMS and email are not secure communication methods. Hackers can intercept SMS texts without ever touching your phone, though it isn’t easy.


Method 3: Time-Based One-Time Passwords (OTP)

Authy Code Generator

With this authentication method, you use an authenticator app The 5 Best Alternatives to Google Authenticator Google's two-factor authentication app isn't the only one out there. Here are the best alternatives to Google Authenticator. Read More to scan a QR code that contains a secret key. Doing so loads the secret key into the app and generates temporary passwords that change regularly. After entering your password, you’ll need to enter the code from your authenticator app to finish signing in.

Benefits of One-Time Passwords

Once you’ve added the account to your authenticator app, you don’t need to have mobile service to access them. Since the secret key is stored on your device itself, it can’t get intercepted like SMS can. And if you use certain authenticator apps, like Authy, you can sync your codes between multiple devices to avoid getting locked out.

Drawbacks of One-Time Passwords

If your phone runs out of battery, you won’t be able to access your codes (though this is also true of SMS). Because the codes use the time to generate, there’s potential for clocks to desync between your device and the service, which results in invalid codes. This is why you should always print the backup codes that services provide as an emergency login method.

While unlikely, if a hacker somehow cloned your secret key, they could generate their own valid codes at will. And if the service doesn’t limit login attempts, hackers may still be able to compromise your account through sheer brute force.

Method 4: U2F Keys

U2F Key

Universal 2nd Factor (U2F) is an open standard that’s used with USB devices, NFC devices, and smart cards. In order to authenticate, you simply plug in a USB key, bump an NFC device, or swipe a smart card.

Pros of U2F

A U2F key is a true physical factor. As long as you keep them physically secure, they can’t be digitally intercepted or redirected. And unlike most two-factor methods, U2F keys are phishing-proof because they only work once you’ve registered them with a site. They are thus one of the most secure 2FA methods currently available.

Cons of U2F

U2F is a relatively new technology, so it isn’t as widely supported as other choices. The other major drawback is inconvenience due to differing USB ports on your devices Understand USB Cable Types and Which One to Use Why are there so many different USB cable types? Learn the differences between USB connector types and how to buy the best cable. Read More . For example, if you have a U2F key with a USB-A connector, it won’t work on your Android device, iPhone, or newer MacBook without an adapter.

Higher-end U2F keys have built-in NFC so you can use them with mobile devices, but they’re more expensive. While U2F keys start around $20, getting one that’s rugged or includes NFC will cost more.

Method 5: Push Notification

Some two-factor authentication platforms provide an alternative method that’s worth looking into. With this, after you enter your password, you receive a push notification on your device with some information about the login attempt. Simply tap Approve or Decline to respond to the request.

Benefits of Push Notifications

Push notifications are much more convenient than opening your authenticator app and copying down a code. They also contain information about who’s trying to log in, such as the device type, IP address, and general location. This alerts you to any malicious login attempts as they happen.

Additionally, because the push notification is tied to your phone, there’s no risk of a hacker copying down your secret code or stealing an SMS. This method requires you to physically have your device with you to log in.

Drawbacks of Push Notifications

Push notification authentication requires your phone to be connected to the internet. Thus, if you don’t have a data connection and aren’t connected to Wi-Fi, you won’t get the login prompt.

Additionally, there’s a risk of ignoring the information in the push and simply approving it without thinking. If you’re not careful, this could lead to you granting access to someone who shouldn’t have it.

Method 6: Biometrics (Face, Voice, or Fingerprint)

Fingerprint key on keyboard

Facial recognition, voice recognition, and fingerprint scans all fall under the category of biometrics. Systems use biometric authentication when it’s imperative that you really are who you say you are, often in areas that require security clearance (like government).

Advantages of Biometrics

Biometrics are extremely difficult to hack. Even a fingerprint, which is probably the easiest to copy, requires some kind of physical interaction.

Voice recognition would need some kind of statement said in your voice, and facial recognition would need something as drastic as plastic surgery. It isn’t unbreakable, but it’s pretty close.

Disadvantages of Biometrics

The biggest downside, which is the reason why biometrics are rarely used as a two-factor method, is that a compromised biometric is compromised for life. You can’t change your fingerprint or face like you can a phone number.

Plus, most people aren’t comfortable giving up their face, voice, or fingerprints to companies. Even if you did, the technology to use these factors properly would be too difficult to implement for everyday apps and services.

The Pros and Cons of Multi-Factor Authentication

Now that we’ve looked at the advantages and disadvantages of two-factor authentication methods, which one is the best? It depends on what you value most.

In general, these are our recommendations:

  • For a balance, time-based one-time passwords using an authenticator app are the best. You must be careful about keeping backup codes in case you lose or break your device, though. Using Authy and signing in on multiple devices can help with this.
  • For maximum security and privacy, U2F keys are the best. They can’t be used to track you and you don’t have to give up any personal information to use them. But U2F keys cost money and are often inconvenient.
  • For convenience, SMS messages are the best. They have the potential to get intercepted and don’t work when you have poor reception. However, they’re quick, easy, and better than single-step authentication.
  • If you have the option to use push notifications, they’re worth trying. Just make sure you have a stable internet connection when using them, and always check the info in the prompt.

If you have a choice, don’t ever rely on security questions as a two-factor method. When a site requires them, treat them like a second password and store your answers in a password manager. It’s unwise to answer the questions directly.

Now that you know what method to use, follow our guide to enabling two-factor authentication on many popular websites How to Secure Your Accounts With 2FA: Gmail, Outlook, and More Can two-factor authentication help to secure your email and social networks? Here's what you need to know to get secure online. Read More .

Related topics: Google Authenticator, Online Security, Two-Factor Authentication.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Mike Walsh
    April 19, 2020 at 12:50 am

    Linux is usually the 'poor relation' when it comes to suitable software for the more unusual 'utilities' like this. QRCodes are near-universal now, along with the fact that nearly everybody uses smartphones nowadays. However, if you're a Linux user, and are an old fart like me who has no time for smartphones, and prefers a proper keyboard, a nice big screen, a mouse & a comfy chair.

    I've just started moderating at a large, well-known online forum. They have their own Doscord server, and for mod access to the server, you have to have 2FA (2-step?) enabled. The only real app offered is Google's Authenticator (or Canonical's Authy), neither of which I can make use of...

    I came across the open-source OTPClient the other day, offered up by Jack Wallen over at TechRepublic. This thing doesn't even need a camera to scan a QRCode; all that's needed is to be able to save a screenshot as a PNG file, so even Linux users running ancient hardware without even a webcam can still make use of this modern, secure technology.

    You take a screeny of the QRCode, and save it as a PNG file. When adding a new 'token' to OTPClient, simply select 'Add manually->From file', and select your PNG image.....OPTClient reads the info from the PNG images, and Bob's yr uncle; your token is added.

    When you need to use a token's code to login, simply click its entry in the GUI, and it's auto-copied to your clipboard, ready for pasting where required. Couldn't be simpler...!

  2. William Conor
    October 19, 2018 at 3:52 pm

    I've enjoyed reading this, well done.

    As mentioned SMS, Email and Voice Call can be easy intercepted. Software Token and Push Notifications are indeed easy to use but a Smartphone is not at all a Secure Device.

    Therefore going for a Hardware Token is actually a must. However, losing Smartphone and Hardware Token happens.

    So never forget to have an Emergency OTP like printed OTP List, QR Codes or a Second Hardware Token.

    MFA programs aren’t cheap so I'm using MFA OpenOTP from RCDevs because it's free up to 40 Users. Furthermore a good Documentation and Chat Support on their Website.

    Keep up the good work, best regards.

  3. PeteMoss4U
    November 27, 2017 at 9:16 pm

    We use time based passwords combined with a 4 digit PIN to VPN into our network. This is after a 16 character Secure-Doc encryption password and a 16 digit network password to gain access to our laptop and local drive. Our 8 character 2F passwords are received on a Hard Token device assigned to each employee needing remote access. Soft Tokens, software based, are available which reside on a users mobile device and are being considered for convenience sake.

  4. dragonmouth
    November 16, 2017 at 2:29 pm

    "If you aren’t using two-factor authentication yet, you’re way behind and leaving your accounts vulnerable to hackers and phishers. "
    In that case, I am really behind the times because any transactions requiring sensitive information I conduct in person and I will continue to do so as long as the banks and other institutions do not get stupid and insist on online transactions. Ostensibly online transactions are for the customers' convenience but in reality institutions implement them to save money on their overhead. If everybody can be convinced of the 'convenience' of online banking, banks can close their branches and layoff the staff. Conducting sensitive transactions in person may be inconvenient but it is much more secure than using a computer. The price of convenience is security/privacy.

    "Many security question answers can be found in public records (e.g. your father’s middle name)"
    While on the surface the statement is true (yes, my father's first, middle and last names are public record), in reality it is nothing but FUD. To find out my father's middle name, the hacker would have to know my real name. Anybody that would use data that is public record for the answer to their security question is a fool and deserves to be hacked. There id quite a lot that IS NOT on the public record that can be used. EX: The name of a teddy bear or a private nickname for a girlfriend.

  5. Andy Hawley
    November 16, 2017 at 4:49 am

    Your article completely skipped push notification type MFA solutions. Many companies like Google now support this with Android, and products like Duo security work on iOS and Android. For ease of use they are far superior carrying and token, and can often fail back to SMS or OTP.