The Pros and Cons of Two-Factor Authentication Types and Methods
If you aren’t using two-factor authentication yet, you’re way behind and leaving your accounts vulnerable to hackers and phishers. How safe do you actually feel when a password is the only thing standing between a stranger and your bank account? Not too safe, I hope.
Yes, two-factor authentication isn’t foolproof. Yes, there are risks to two-factor authentication. But even with these downsides, using two-factor authentication is miles better than going without it. Just because burglars can bust through a window doesn’t mean you’ll stop locking your doors, right? Of course not.
But here’s the thing: not all two-factor authentication methods are equal. Some are demonstrably safer and more secure. Here’s a look at the most common methods and which ones best meet your individual needs.
Two-Factor Authentication vs. Two-Step Authentication
Before diving in, let’s take a quick moment to clear up some confusion between two-factor authentication and two-step authentication. They’re similar, but not quite the same — one’s a square, the other a rectangle.
Two-factor authentication is when you protect an account with two factors. A factor is either “something you know” (e.g. password), “something you have” (e.g. phone), or “something you are” (e.g. fingerprint). To truly be protected by two-factor authentication, your account must require two locks of different factors before granting access.
If an account is protected by two locks of the same factor, then it falls under two-step authentication (or two-phase authentication). For example, a password and a security question are both “something you know,” making authentication two-step but not two-factor. Though this can still provide adequate protection, two-factor authentication is preferable.
Just as a square is a rectangle but a rectangle isn’t a square, two-factor authentication is a type of two-step authentication but not the other way around.
Method 1: Security Questions
What is it?
When creating an account, you choose one or more security questions and set answers for each one. When logging into that account, you have to provide the right answer to each question to validate that you have rightful access.
Security questions are extremely easy to set up. Most of the time, the service provides a dropdown menu of questions — all you have to do is pick one and give the answer. You don’t need any other equipment, devices, etc. The answer is just stored in your head.
Many security question answers can be found in public records (e.g. your father’s middle name) or socially engineered (e.g. phishing emails or phone calls). To get around this, you can make your answer gibberish and effectively make it a second password — but be careful that you don’t lose it or forget it!
Method 2: SMS Messages
What is it?
When creating an account, you provide your mobile phone number. Whenever you want to log in, the service sends you an SMS message with a verification code that expires (usually after 15 minutes). You have to input that number to complete the logging in process.
SMS messages are extremely convenient. These days, pretty much everyone has an SMS-capable device and can receive SMS messages free of charge. Usually the messages arrive instantly, but even when they don’t it rarely takes more than a few minutes. If you ever lose your device, you can transfer your phone number so you’ll never be permanently locked out.
You have to trust the service enough to share your phone number. Some disreputable services may use your number for advertising, or sell it off for monetary gain. And since phone numbers aren’t actually tied to devices, hackers can actually circumvent SMS-based authentication without ever touching your phone (though it isn’t easy).
Method 3: Time-Based One-Time Passwords
What is it?
When you create an account, you’re assigned a “secret key.” After installing a code-generating app (like Google Authenticator or its alternatives), you scan a QR code to load the secret key into the app. It then generates one-time passwords every so often (e.g. 30 seconds) using the secret key as a seed, and you need these one-time passwords to log in.
The codes are generated based on a mixture of the secret key and the current time, which means you can get valid codes on your device even when you have no reception and/or no mobile service. And since the secret key is stored on the device itself, it can’t get intercepted or redirected (such as through a phone number takeover).
You will be unable to log in if your device runs out of battery or dies altogether. Sometimes internal clocks can desync between device and service, which results in invalid codes. These are two reasons why printing backup codes is essential.
If a hacker somehow clones your secret key, then they can generate their own valid codes at will. And if the service doesn’t limit login attempts, hackers may still be able to compromise your account through sheer brute force.
Method 4: U2F Keys
What is it?
Universal 2nd Factor (U2F) is an open standard that’s used with USB devices, NFC devices, and smart cards. In order to authenticate, you simply plug it in (for USB keys), bump it (for NFC devices), or swipe it (for smart cards).
A U2F key is a true physical factor. Unlike SMS codes, they can’t be intercepted or redirected. And unlike most two-factor methods, U2F keys are phishing-proof because they’re only registered to work with sites you’ve registered. It’s one of the most secure 2FA methods currently available.
Because U2F is a relatively new technology, it isn’t yet widely supported. For example, as of this writing, NFC keys only work with Android mobile devices whereas USB keys mainly work with the Chrome browser (Firefox is working on it). U2F keys also cost money, often between $10-$20 but could go higher depending on how rugged you want it to be.
Method 5: Face, Voice, Fingerprint
What is it?
Facial recognition, voice recognition, and fingerprint scans all fall under the category of biometrics. Systems use biometric authentication when it’s imperative that you really are who you say you are, often in areas that require security clearance (e.g. the government).
Biometrics are extremely difficult to hack. Even a fingerprint, which is arguably the easiest to copy, requires some kind of physical interaction. Voice recognition would need some kind of statement said in your voice, and facial recognition would need something as drastic as plastic surgery. It isn’t unbreakable, but pretty close.
The biggest downside, and the reason why biometrics are rarely used as a two-factor method, is that a compromised biometric is compromised for life. Plus, how comfortable would you feel giving up your face, voice, or fingerprints? Would you trust them to be kept safe? Most wouldn’t.
Which Two-Factor Authentication Method Is Best?
Well, it depends on what you value most:
- For balance, time-based one-time passwords are the best. You just have to be careful about keeping backup codes in case you lose or break your device.
- For privacy, U2F keys are the best. They can’t be used to track you and you don’t have to give up any personal information to use them. But they cost money.
- For convenience, SMS messages are the best. Yes, they can be intercepted or redirected, and yes, they fail with bad reception, but they’re quick, easy, and secure enough.
If given the choice, don’t ever rely on security questions as a two-factor method. If you have no other option, then prefer to use it as a second password. Don’t ever answer the question directly, especially if the answer isn’t something that only you know.
Think two-factor authentication is an inconvenience? Here are ways to make two-factor authentication less irritating.
Which two-factor authentication methods do you use most? Are you going to change your habits after reading this? Let us know in the comments below!