The Pros and Cons of Two-Factor Authentication Types and Methods

Joel Lee 14-11-2017

If you aren’t using two-factor authentication yet, you’re way behind and leaving your accounts vulnerable to hackers and phishers. How safe do you actually feel when a password is the only thing standing between a stranger and your bank account? Not too safe, I hope.


Yes, two-factor authentication isn’t foolproof. Yes, there are risks to two-factor authentication. But even with these downsides, using two-factor authentication is miles better than going without it. Just because burglars can bust through a window doesn’t mean you’ll stop locking your doors, right? Of course not.

But here’s the thing: not all two-factor authentication methods are equal. Some are demonstrably safer and more secure. Here’s a look at the most common methods and which ones best meet your individual needs.

Two-Factor Authentication vs. Two-Step Authentication

Before diving in, let’s take a quick moment to clear up some confusion between two-factor authentication and two-step authentication. They’re similar, but not quite the same — one’s a square, the other a rectangle.

Two-factor authentication is when you protect an account with two factors. A factor is either “something you know” (e.g. password), “something you have” (e.g. phone), or “something you are” (e.g. fingerprint). To truly be protected by two-factor authentication, your account must require two locks of different factors before granting access.

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication methods

If an account is protected by two locks of the same factor, then it falls under two-step authentication (or two-phase authentication). For example, a password and a security question are both “something you know,” making authentication two-step but not two-factor. Though this can still provide adequate protection, two-factor authentication is preferable.

Just as a square is a rectangle but a rectangle isn’t a square, two-factor authentication is a type of two-step authentication but not the other way around.

Method 1: Security Questions

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method security

What is it?
When creating an account, you choose one or more security questions and set answers for each one. When logging into that account, you have to provide the right answer to each question to validate that you have rightful access.

The Pros
Security questions are extremely easy to set up. Most of the time, the service provides a dropdown menu of questions — all you have to do is pick one and give the answer. You don’t need any other equipment, devices, etc. The answer is just stored in your head.

The Cons
Many security question answers can be found in public records (e.g. your father’s middle name) or socially engineered (e.g. phishing emails or phone calls). To get around this, you can make your answer gibberish and effectively make it a second password — but be careful that you don’t lose it or forget it!

Method 2: SMS Messages

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method sms

What is it?
When creating an account, you provide your mobile phone number. Whenever you want to log in, the service sends you an SMS message with a verification code that expires (usually after 15 minutes). You have to input that number to complete the logging in process.

The Pros
SMS messages are extremely convenient. These days, pretty much everyone has an SMS-capable device and can receive SMS messages free of charge. Usually the messages arrive instantly, but even when they don’t it rarely takes more than a few minutes. If you ever lose your device, you can transfer your phone number so you’ll never be permanently locked out.

The Cons
You have to trust the service enough to share your phone number. Some disreputable services may use your number for advertising, or sell it off for monetary gain. And since phone numbers aren’t actually tied to devices, hackers can actually circumvent SMS-based authentication without ever touching your phone (though it isn’t easy).

Method 3: Time-Based One-Time Passwords

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method totp

What is it?
When you create an account, you’re assigned a “secret key.” After installing a code-generating app (like Google Authenticator or its alternatives), you scan a QR code to load the secret key into the app. It then generates one-time passwords every so often (e.g. 30 seconds) using the secret key as a seed, and you need these one-time passwords to log in.

The Pros
The codes are generated based on a mixture of the secret key and the current time, which means you can get valid codes on your device even when you have no reception and/or no mobile service. And since the secret key is stored on the device itself, it can’t get intercepted or redirected (such as through a phone number takeover).

The Cons
You will be unable to log in if your device runs out of battery or dies altogether. Sometimes internal clocks can desync between device and service, which results in invalid codes. These are two reasons why printing backup codes is essential.

If a hacker somehow clones your secret key, then they can generate their own valid codes at will. And if the service doesn’t limit login attempts, hackers may still be able to compromise your account through sheer brute force.

Method 4: U2F Keys

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method u2f

What is it?
Universal 2nd Factor (U2F) is an open standard that’s used with USB devices, NFC devices, and smart cards. In order to authenticate, you simply plug it in (for USB keys), bump it (for NFC devices), or swipe it (for smart cards).

The Pros
A U2F key is a true physical factor. Unlike SMS codes, they can’t be intercepted or redirected. And unlike most two-factor methods, U2F keys are phishing-proof because they’re only registered to work with sites you’ve registered. It’s one of the most secure 2FA methods currently available.

The Cons
Because U2F is a relatively new technology, it isn’t yet widely supported. For example, as of this writing, NFC keys only work with Android mobile devices whereas USB keys mainly work with the Chrome browser (Firefox is working on it). U2F keys also cost money, often between $10-$20 but could go higher depending on how rugged you want it to be.

Method 5: Face, Voice, Fingerprint

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method biometrics

What is it?
Facial recognition, voice recognition, and fingerprint scans all fall under the category of biometrics. Systems use biometric authentication when it’s imperative that you really are who you say you are, often in areas that require security clearance (e.g. the government).

The Pros
Biometrics are extremely difficult to hack. Even a fingerprint, which is arguably the easiest to copy, requires some kind of physical interaction. Voice recognition would need some kind of statement said in your voice, and facial recognition would need something as drastic as plastic surgery. It isn’t unbreakable, but pretty close.

The Cons
The biggest downside, and the reason why biometrics are rarely used as a two-factor method, is that a compromised biometric is compromised for life. Plus, how comfortable would you feel giving up your face, voice, or fingerprints? Would you trust them to be kept safe? Most wouldn’t.

Which Two-Factor Authentication Method Is Best?

Well, it depends on what you value most:

  • For balance, time-based one-time passwords are the best. You just have to be careful about keeping backup codes in case you lose or break your device.
  • For privacy, U2F keys are the best. They can’t be used to track you and you don’t have to give up any personal information to use them. But they cost money.
  • For convenience, SMS messages are the best. Yes, they can be intercepted or redirected, and yes, they fail with bad reception, but they’re quick, easy, and secure enough.

If given the choice, don’t ever rely on security questions as a two-factor method. If you have no other option, then prefer to use it as a second password. Don’t ever answer the question directly, especially if the answer isn’t something that only you know.

Think two-factor authentication is an inconvenience? Here are ways to make two-factor authentication less irritating.

Which two-factor authentication methods do you use most? Are you going to change your habits after reading this? Let us know in the comments below!

Explore more about: Online Security, Two-Factor Authentication.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. William Conor
    October 19, 2018 at 3:52 pm

    I've enjoyed reading this, well done.

    As mentioned SMS, Email and Voice Call can be easy intercepted. Software Token and Push Notifications are indeed easy to use but a Smartphone is not at all a Secure Device.

    Therefore going for a Hardware Token is actually a must. However, losing Smartphone and Hardware Token happens.

    So never forget to have an Emergency OTP like printed OTP List, QR Codes or a Second Hardware Token.

    MFA programs aren’t cheap so I'm using MFA OpenOTP from RCDevs because it's free up to 40 Users. Furthermore a good Documentation and Chat Support on their Website.

    Keep up the good work, best regards.

  2. PeteMoss4U
    November 27, 2017 at 9:16 pm

    We use time based passwords combined with a 4 digit PIN to VPN into our network. This is after a 16 character Secure-Doc encryption password and a 16 digit network password to gain access to our laptop and local drive. Our 8 character 2F passwords are received on a Hard Token device assigned to each employee needing remote access. Soft Tokens, software based, are available which reside on a users mobile device and are being considered for convenience sake.

  3. dragonmouth
    November 16, 2017 at 2:29 pm

    "If you aren’t using two-factor authentication yet, you’re way behind and leaving your accounts vulnerable to hackers and phishers. "
    In that case, I am really behind the times because any transactions requiring sensitive information I conduct in person and I will continue to do so as long as the banks and other institutions do not get stupid and insist on online transactions. Ostensibly online transactions are for the customers' convenience but in reality institutions implement them to save money on their overhead. If everybody can be convinced of the 'convenience' of online banking, banks can close their branches and layoff the staff. Conducting sensitive transactions in person may be inconvenient but it is much more secure than using a computer. The price of convenience is security/privacy.

    "Many security question answers can be found in public records (e.g. your father’s middle name)"
    While on the surface the statement is true (yes, my father's first, middle and last names are public record), in reality it is nothing but FUD. To find out my father's middle name, the hacker would have to know my real name. Anybody that would use data that is public record for the answer to their security question is a fool and deserves to be hacked. There id quite a lot that IS NOT on the public record that can be used. EX: The name of a teddy bear or a private nickname for a girlfriend.

  4. Andy Hawley
    November 16, 2017 at 4:49 am

    Your article completely skipped push notification type MFA solutions. Many companies like Google now support this with Android, and products like Duo security work on iOS and Android. For ease of use they are far superior carrying and token, and can often fail back to SMS or OTP.