Getting Started with Multi-Factor Authentication (2FA/MFA)

In the last weekly, we covered the importance of password managers. While making sure to not re-use passwords is improving your security posture significantly – it’s still possible for hackers to figure out the specific password, so it’s always better to use additional factor of authentication.

I must say, these weeklies are incredibly timely as in the past weeks the WordPress ecosystem has been affected by a security incident where the WordPress repository accounts of multiple plugin developers have been compromised due to re-using passwords and not using 2FA. You can read about this here and here. This incident highlights perfectly why both password managers and 2FA are absolutely essential.

In today’s weekly, let’s cover the different 2FA methods which you should use on all accounts where it’s possible.

Authenticator applications for TOTP

One of the most common 2FA methods is time-based one-time password, aka TOTP. A unique password is being generated with a standardized algorithm that uses the current time as an input. The great thing about app based TOTP is that it can be used offline (for example on a standalone offline device).

Two of the most popular options for authenticator apps are Google Authenticator and Twilio Authy. Since these apps will be installed on your mobile device, then make sure to keep the device updated & secure. In fact, many people use another disconnected smartphone just for the 2FA. ****

SMS based 2FA

Probably the most common and often default 2FA option is using SMS to send authentication codes. Since everyone has a phone number and the capability to receive SMS messages, it’s arguably the easiest 2FA option available.

Unfortunately, convenience and security do not blend very well. First, SMS is not by any means a very secure communication channel and, making matters even worse, you rely on the security processes of telcos who hand out phone numbers in the first place.

The hacker can either convince they are you and get your number assigned to their sim card, or use third-party unregulated services to reroute SMS messages to them. While the different methods come and go, SIM swap’ing specifically remains incredibly effective and a very common technique in hackers arsenal.

Hardware based 2FA

Using a completely separate hardware as your second factor of authentication is considered the most secure way – and, unsurprisingly, the least convenient. You can use a U2F key which you plug in into your device in a form of a small USB stick which then gives the 2FA code for your authentication.

The most popular company offering U2F keys is Yubico. They offer USB-A, USB-C, Thunderbolt and even NFC based keys. You should always connect multiple keys to your account (one as a backup), so what you need to consider is that this is the most expensive form of a 2FA setup, as each key will cost you from $25 to $100 USD.

Conclusion

In my opinion, 2FA should be enforced in most of the places. If you’re ready to sacrifice convenience for the strongest possible security, then get some YubiKeys – depending on your workflows, it might not be that inconvenient at all (I don’t think it’s that bad). If you’re looking for a free option, then settle with a TOTP based authenticator app such as Google Authenticator. Lastly, any second factor is better than a single factor, so if nothing else is available, keep the SMS based 2FA on – just keep in mind that it’s not as secure as the other options and replace it with at least TOTP based app as soon as it becomes available.