Two Factor Authentication

TWO FACTOR AUTHENTICATION

Using an ATM requires both a plastic card and a password. Two things. Two factors. In computing "two factors" refers to needing the usual userid/password and something else to gain access to a system. Thus, a stolen password becomes useless as its only half the story.

The robotic response from every computer nerd is to use Two Factor Authentication (2FA). But, it is not that simple. In the topic on SIM Swaps there are links to articles by people who became vulnerable only because they were using 2FA. These victims had their cellphone number stolen, so that it could be used to abuse 2FA text messages and change the passwords on many accounts. No 2FA text messages, no password changes.

A hidden problem with two factor authentication is the fallback scheme for when it breaks. For example, you can not get text messages when your cellphone is lost, stolen, broken or in the middle of nowhere without a cell signal. What then?

There are different types of 2FA and no one right answer for everyone.

LEAST SECURE TYPE OF 2FA

The least secure type of 2FA, is a temporary code sent in a text message to a cellphone. It is very popular even though there is no security for text messages at all. Bad guys have tricked victims into reading them the temporary code in the text message. Fidelity Investments (and no doubt others) combat this by warning their customers, in the text message itself: DO NOT SHARE THIS CODE WITH ANYONE. See screen shot. This should be a standard practice.
Less popular, is the use of email to provide the temporary code. In the US, the Social Security Administration takes this approach.
Still another option is a phone call where a temporary code is spoken aloud. Or, a phone call where all you need to do is touch a button on the phone. The advantage of a phone call is that it can be used with a land line making it much more secure, although, obiously, less flexible.

MIDDLE SECURE TYPE OF 2FA

A more secure type of 2FA involves a Time Based Onetime Password (TOTP) generated by an app running on a mobile device. These are often referred to as Authenticator Apps. They generate a different code every minute (give or take) thus the "time based" in the name.
Since 2FA involves installing software, look for a product that supports the Operating Systems you use. Authy, for example, stopped supporting Windows, macOS and Linux in March 2024. Many 2FA apps only run on iOS and/or Android. For use on both mobile and desktop OSs, consider a password manager such as Bitwarden, 1Password and Dashlane, which also function as Authenticator apps.
WHICH AUTHENTICATOR APP?
- One widely cited app is Authy and there is more about it below.
- On iOS, Steve Gibson likes an app called OTP Auth (as of Oct. 2023). I have heard Leo Laporte recommend 2FAS which is free and open source (as of Oct. 2023). 2FAS has an app for both Android and iOS. It also exists as a web browser extension for Chrome, Brave, Firefox, Edge, Opera and Safari where it can run on desktop operating systems.
- Security firm Mysk recommends Aegis Authenticator which is in the F-Droid app store for Android.
- January 9, 2024: The Best Two-Factor Authentication App by Max Eddy and Thorin Klosowski for Wirecutter (Last updated June 27, 2024). They recommend Duo Mobile for the best combination of compatibility, security, usability, and reliability. The app is free for 1-10 users, then $3/user/month. It works on Android and iOS and has a simple user interface. Backup is optional but only goes to Google Drive or iCloud, not the best way to do this, in my opinion. Also, you can not use a backup created on one mobile OS, in the other mobile OS. So, while the app may run on both, their backups do not. They called Aegis Authenticator a good option for Android. Aegis is open source, supports local encryption and supports manual exports for backups. After an update, Aegis was downgraded and now their second choice is Google Authenticator, which they point out, does not use end-to-end encryption to secure backups. Thus, I question their judgment. Their gripe with Aegis is that the backup process is opaque, and it offers little support for new users. They tested FreeOTP but said nothing about it all. Strange.
- February 27, 2023: Best authenticator apps for Android and iOS by Ashwin. He likes Aegis Authenticator by Beem Development. This is why: you do not need an account or a phone number to use it. It is free and open source, but Android only. It can backup the authentication tokens locally, and optionally, synced then to Google Drive (I am not a fan of this). The backups are encrypted with a password of your choice, which is really great and easily lets you have Aegis installed multiple Android devices. It also does app-run security in the form of screen lock or biometric unlock. He also liked Google Authenticator but on Android, it does not have any app-run security (it does on iOS, go figure). He also likes KeePass a family of password managers, some of which also do TOTP. One advantage is that there are versions of KeePass for desktop OSs. KeePass is free and open source. On Android, he like KeePass2Android, on iOS he likes Keepassium on iOS.
- In February 2023, Naomi Brockwell did a video, Most PRIVATE 2FA apps that looked into 2FA apps to see which are spying on you. The bad ones they found were Authy and Microsoft Authenticator. The good ones were FreeOTP from RedHat (available on iOS and Android), Aegis Authenticator (Android only), andOTP and TOTP (Android only). 2FAS has trackers and spies on you, but just a little.
  Note that andOTP was discontinued in 2021.
- Google Authenticator is also widely suggested, but it seems like a miserable choice. Anyone who recommends it is showing off their ignorance.
  1. If you should lose control of your Google account, there is no help. The price of free software/services is no technical support.
  2. Google Authenticator can only run on one mobile device. If it is lost or stolen, you are screwed (more below).
  3. A this toot from security firm Mysk, on March 4, 2024:
    Google Authenticator still syncs two-factor authentication secrets without E2EE. If you enable cloud syncing, this means:
    1-Google can read the secrets and generate one-time passwords for your accounts
    2-Google knows the services you use
    3-Google knows your usernames
    4-Given a court order, Google is obliged to hand over this data to law enforcement
  4. In December 2024, Brian Krebs wrote How to Lose a Fortune with Just One Bad Click about someone who had their Gmail account compromised. This led, to all their 2FA codes leaking to the bad guys and that lead to really bad things. Quoting: ""By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app. To change this setting, open Authenticator on your mobile device, select your profile picture, and then choose 'Use without an Account' from the menu. If you disable this, it's a good idea to keep a printed copy of one-time backup codes... "
    Rather than make a configuration change, it is safe to say that anyone with a Gmail account should not use Google Authenticator.
A problem with both of these first two types of 2FA is a scam website. If you enter both your password and the temporary code into a scam website, the bad guys have it. This is exactly how Twitter was hacked in July 2020. According to the Twitter Investigation Report from the New York State Department of Financial Services (Oct. 2020), the bad guys called Twitter employees claiming to be from the IT department. "The Hackers claimed they were responding to a problem the employee was having with Twitter's VPN. Since switching to remote working, VPN problems were common at Twitter. The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA notification requesting that the employees authenticate themselves, which some of the employees did." To not be fooled by similarly named domains, see the topic here on Understanding Domain Names.

MOST SECURE TYPE OF 2FA

The most secure option involves a physical thingy (often called a "key") you connect to a computer/tablet/phone that verifies your identity. No key no access. Here is a good introductory article: How Does a Hardware Security Key Like YubiKey Work by Leo A. Notenboom (July 13, 2023).

There are, of course, downsides to the use of security keys

The thingies cost money, expect to pay about $50 US
Different computing devices require different thingies (USB-A, USB-C, NFC, Lightning, etc)
Not many systems support this type of 2FA. For example, Fidelity, which manages over 11 trillion dollars, does not support security keys. According to the Citibank Security Center they too, do not support security keys.
The software on the security keys might be buggy.

Also, if the use of these security keys for a given account is optional, then your protection is only as good as the weakest link in the chain. If, for example, an account supports both text messages and security keys for 2FA, then bad guys can still exploit text messages by SIM swapping your phone number away from you.

Apple introduced support for security keys to safeguard an Apple account around March 2023 but they screwed up, big time. Anyone who steals an iPhone with the unlock code can just disable the security keys. For security keys to provide the maximum security, they must be required. If there is a back door way around them, then they are a waste of money.

Overkill: The Best Security Key for Multi-Factor Authentication by Yael Grauer and Thorin Klosowski for Wire Cutter (last updated July 27, 2022). In effect, what is described here is 3FA. it combines an authenticator app with a Security Key. Quoting:
"... the [Yubico YubiKey ] 5 Series can generate time-based one-time passcodes for up to 32 accounts, similar to how the Authy and Authenticator mobile apps work, but the credentials are stored on the key. This feature requires downloading the Yubico Authenticator app, and it works with services that support other authentication apps such as Authy. When you run into a site with software authentication but not key support, you can store those codes on the key. The Yubico app will then display those codes only if the key is connected, so even if someone managed to get your phone, they’d still need the key to access the authentication codes. None of the other keys we tested ... have this functionality. But using this feature puts the onus on you to save all the two-factor backup codes or to store credentials on a second key, so make sure you’re comfortable doing so."
The Yubico Authenticator app runs on Windows, macOS, Linux, iOS and Android.

ASSORTED NOTES

More security means more hassle. Once you step up to 2FA, you should look to also create backup codes in case something goes wrong with the 2FA scheme. Not only should you create backup codes for every site using 2FA, you also need to save them (maybe print them out) where you can later find them. Some sites allow you to create a single backup code, others go up to 10. Google 2FA supports multiple backup codes. See How to retrieve your Google 2FA backup codes by Jack Wallen (Aug 2018)

Moving a 2FA app to a new phone: Google Authenticator should be easy to migrate. It allows you to export your information, which can then be imported on the new device. Microsoft Authenticator is difficult to move. You can use it to authenticate to Microsoft 365, but it does not back up to the 365 profile. Instead, it uses a consumer Microsoft Account.

To check if the companies you deal with offer 2FA, see 2fa.directory. It is pretty lame, but all we have.

In Alternative Ways to Protect Yourself from Being Spearfished (Jan 2020) Ivan Drucker relates his struggles trying to get non-techies to use an authenticator app. Then, he suggests using Google Voice as an alternative to both authenticator apps and your real cellphone number.

Background: Two-Factor Authentication: Who Has It and How to Set It Up by Eric Griffith (March 2019).

History: In the old days, there was a different type of two factor authentication. Citibank called theirs a security token. It was a physical device that created a second password, usually just a number. The Citibank model required you to press a button to generate the second password. Many other models would display the second password all the time, but change it every minute.

Background: Two-Factor Authentication Keeps the Hackers Out by Leo Notenboom (June 2016).

Making Authy more secure

Google Fi hack victim had Coinbase, 2FA app hijacked by hackers by Lorenzo Franceschi-Bicchierai February 1, 2023. A Google Fi user got hit by a SIM swap attack that resulted in his Authy account getting hacked. Since the hacker had control of the phone number, the hacker was able to add a new device to the Authy account and from there take control of other accounts belonging to the victim.
There is no defense mentioned in the above article, but Dan Goodin added some of his own (below) on Mastodon.
Enroll at least one other device in your Authy account. This will ensure that you always have at least 2 devices enrolled, in case you lose one of them.
Have your Authy account set to disable multi device. This will ensure that someone who gains control of your phone number will not be able to enroll new devices.

PLANNING FOR 2FA FAILURES

Authy has two backup options

You can back up an encrypted version of your codes to Authy servers by enabling the Backup Password option.
You can also install and use the app on multiple devices with the same codes on each device.

Google Authenticator can not be run on two devices. Worse, Google seems to have no strategy for a lost or stolen device. Quoting Google: "Google Authenticator codes are stored locally on your device. To remove the codes, use the remote erase device option for iOS or Android. If this option is unavailable, visit every site that you have Google Authenticator set up on to remove the codes, and then relink your new device." Ouch. Also, a hack of a Google account is bad enough. Including codes from their 2FA Authenticator app, would just make a bad situation even worse.

A must-read. A Lost-Second-Factor Tale of Woe and How to Avoid Your Own by Leo A. Notenboom November 2022. Google Authenticator installs on one device. Lose that device, and you lose your authenticator, unless you plan ahead. When you associate Google Authenticator with an account, there is a QR code you need to scan with the Google Authenticator app. Take a screenshot of that QR code and save the image in a safe place. It can be used if you ever have to re-install Google Authenticator. There is also an option to save a string of text. Better yet, use Authy which can be installed on multiple devices that synch with each other.

Getting Locked Out of Your Digital Life Is Bad. Here’s How to Avoid It. by Nicole Nguyen for the Wall Street Journal July 9, 2023. The focus here is on authenticator apps, warning that the bad ones store codes on your device (think phone). Lose the device and can not get into your accounts. Two such apps that backup to the cloud are Authy and Google Authenticator. The article discusses some other options for what to do after losing the device running your authenticator app. One option, is backup codes created for just this sort of thing. Gmail, for example, lets you generate and save a bunch of emergency codes (this is not mentioned in the article). Or, you may be able to login with just a password on another device, if you used the less secure option "Don't ask again on this device". If you have another device logged in to Google or to Facebook, each company can use that device to verify your identity. The least likely option (my opinion) is a system that supports both an authenticator app and a security key (real physical key) where you use the security key to login if the authenticator app is not available.