2FA: You're Doing it Wrong
Table of Contents
In its 2021 transparency report, Twitter said that only 2.3% of all active accounts used two-factor authentication between July and December 2020, and while some companies such as Google ( according to who, 100% of automated bot hacks and 66% of targetted attacks can be blocked thanks to 2FA) are pushing people to use it ( by enrolling them by default,) it is not widely adopted by users yet. According to Persona, 38% of large firms do not use 2FA.
Why is that so? Maybe because plenty of people are still confused regarding the benefits one can gain from using 2FA, and how to use it properly (for example, I know a couple of people that used Google Authenticator on their phone without any backup until recently,) or maybe they just don’t know what it is.
In this article, I want to discuss the benefits of 2FA, its pitfalls, and present various strategies that can be employed to get the better of multi-factor authentication.
What is Multi-Factor Authentication? #
The National Institute of Standards and Technology (NIST) defines multi-factor authentication as follows:
An authentication system that requires more than one distinct authentication factor for successful authentication.
Authentication Factors #
There are three main types of authentication factors. If you own online accounts or a smartphone, chances are you already use them all. As you probably guessed, two-factor authentication (2FA) means that you are using two different factors on this list.
Something You Know #
This is by far the most common one. Basically, it includes anything that you have memorized. For example, a password or a PIN code.
Something You Have #
Something you have refers to a physical item in your possession. It could be a physical security token, a phone (using an authenticator with HOTP or TOTP or push notifications,) a security key, or a smart card.
SMS authentication codes also fall into this category, but they are usually the least preferable form of authentication due to the risks of interception and SIM swapping attacks. If you must use SMS-based multi-factor authentication with an account, always make sure (if possible) that SMS can’t be used to reset your password, or consider using a phone number that nobody knows.
Something You Are #
This factor is used to authenticate you using a physical feature of your body. For example your fingerprints, iris, voice, …
Benefits of Multi-Factor Authentication #
Basically, the benefit of multi-factor authentication is to make your online accounts more secure by ensuring that even if a malicious actor manages to compromise your password, he still will not be able to log into your account.
For some more context:
- According to Microsoft, 99.9% of the attacks on accounts can be stopped with multi-factor authentication
- Even strong passwords can’t protect you against all attacks ( Microsoft blog)
- 100% of automated bots, 99% of bulk phishing attacks, and 66% of targetted attacks can be stopped by 2FA ( Google)
- More than 24 billion account usernames and passwords were exposed by cyber-threat actors as of this year ( Digital Shadows)
Why You Are Probably Not (Properly) Using 2FA? #
If you are using 2FA, it is statistically more likely to be through SMS delivery (which is not recommended,) push notifications, or TOTP.
Simply put, TOTP is the algorithm used when a website tells you to get Google Authenticator and scan a QR code. The server will generate a secret key that will be used by your authenticator application to generate a one-time password (usually made of 6 digits) that will change depending on the time (usually every 30 seconds.) When you try to log in with the one-time password, the server will calculate the one-time password as well (using the secret key,) and check that it matches what you provide.
If you are following the best security practices, you probably have a password manager to store your passwords (and if not, you should.) You also probably either synchronize your password manager with your phone and use a 2FA application (such as Google Authenticator) on the same phone (or your password manager feature of managing one-time passwords.) This means that you only have a single authentication factor.
Is It Bad? #
So, you are not really using 2FA. Is it bad? Well, it is not necessarily that bad… Even if you don’t get all the benefits of properly using multifactor authentication, you are still protected from having your accounts compromised if a malicious actor manages to obtain your password in ways such as:
- You log into your account using a compromised third-party device
- You fell to a phishing attack
- You log into your account using a weak network protocol on an insecure network
- Another website where you are using the same password is compromised, and the malicious actor tries your account’s id and password in other places (though this should not happen because you are following best security practices and using a different password for each website)
However, if for some reason your device or password manager software is compromised, it will be possible for a malicious actor to gain access to all of your accounts.
How to Make Things Better #
I would argue that - as long as you are aware of the risks it entails - you do not necessarily need to make things better, at least not for all of your accounts. Let me develop before you boo me.
You probably have a lot of accounts. Some of them are important, and losing control of them would cause you great damage (for example your email account, the registrar where you have your domain names, …) Some of them are not that important. Sure, losing your Netflix account would be slightly annoying, but it doesn’t store sensitive information, and someone accessing it can’t cause you any damage (such as transferring your money away.)
Managing proper multifactor authentication will likely be more troublesome, so for less important accounts, it might be a good trade-off to lose a bit of security to win a lot of convenience. Let’s review various things that you can implement.
A Word on Backups #
First off, let’s talk about something important but often neglected: backups. You need to be aware that, regardless of your 2FA management method, if you lose access to whatever you use for 2FA, it will be extremely painful to regain control of your accounts.
Even if you are using online services to store your passwords and 2FA codes, there is a trap. Let’s say you use Authy to manage your TOTP codes. Authy allows you to encrypt your backup with a password. You use this option, and store the password on your password manager. For some reason, you lose control of the devices where you are logged into Authy and your password manager. This means that you won’t be able to access Authy because you don’t know the backup password, and you won’t be able to access your passwords because you can’t provide the 2FA code to your password manager.
Anyways, I will discuss some options that you can use for the backups, but make sure to always have some which are:
- Not protected by a password recorded only in your password manager
- In different geographical locations
- Usable: you want to test your backups regularly. Nothing is worse than having to use backups and discovering that you can’t use them because of a format error or whatever
Most Secure (Proper) 2FA #
This option is the more secure. We do everything by the book, and we make sure that our passwords and TOTP/recovery codes are not stored in the same place. The option I would recommend for that is to use security keys such as Yubikeys. There are two ways you can use the keys with:
- FIDO U2F: basically you just have to touch the key to confirm that you want to log into a service. This is good and convenient but it might not be supported by your smartphone, and a lot of services are not supporting it either
- Record your TOTP codes into the Yubikey, and use the authenticator application. This way you can generate one-time passwords from any device, and the secret key never leaves the Yubikey, but there is a limit on the number of items that you can store
In addition to these constraints, you must make sure to have backups in case where your key is lost. The way I recommend managing them is to have at least one backup key and a notepad with the recovery codes stored in a secure location. A quick word on the recovery codes: they are basically one-time passwords pre-generated by the service in the case where you lose the device you use to store your TOTP codes. You don’t necessarily need them if you have a backup of the secret TOTP seed key.
This method ensures you high security, but it comes at a cost: convenience. Taking care of always having the backup synchronized is time-consuming. Because of that, I recommend using this method with very important accounts: as you need them to be as secure as possible, and because they likely won’t change much there is little maintenance to do as far as the backup goes.
Other Forms of 2FA #
If you don’t want to bother with manually creating a backup for every service that you use, you still can not synchronize your password manager with your smartphone, and use your smartphone to store your 2FA codes using software like Authy (not ideal for your privacy,) or a password manager such as Bitwarden (but only store 2FA codes within it.)
Note that whatever software you use to store and synchronize your 2FA codes, you still need to have backups allowing you to recover access to it (and all its data.)
Not Really 2FA, But… #
If the previous options are not feasible for you (although you should really at least protect your most important accounts with a security key,) using TOTP codes in a way that is not proper 2FA is still better than not using them. In this case, there are still some things you can do to improve your security a little bit:
- consider using a different password manager software to store your TOTP codes and passwords. This way, if your main password manager is compromised, your accounts are still safe
- consider only using the software where you store your TOTP codes in a single device, such as your smartphone. This way, you can reduce the attack surface (even if your computer is compromised, your 2FA codes are safe)
Once again, even using your password manager to store both your passwords and get your 2FA codes is still better than doing nothing, and will offer you a good level of extra security while not costing you any inconvenience.
Sources and Extra Reading #
- Questions…and buzz surrounding draft NIST Special Publication 800-63-3 (NIST)
- New research: How effective is basic account hygiene at preventing hijacking (Google Security Blog)
- Two-factor authentication statistics (Persona)
- Your Pa$$word doesn’t matter (Microsoft)
- Account Takeover in 2022 (Digital Shadows)
- Can We Stop Pretending SMS Is Secure Now? (Krebs on Security)
- Cover Image by mohamed Hassan from Pixabay