Two-factor or Multi-factor authentication will prevent hackers from accessing your accounts if they get hold of your passwords or with brute-force attacks. In fact, it will help to secure your account if your log-in credentials have been compromised before. 

But which is the best two-factor authentication method? Many services offer one-time codes through text messages or email, while others via an authenticator app like Authy. Some providers will even allow you to connect a hardware device to get the codes. 

In this blog, we will explain the different options, what you have to look out for, and which is the best two-factor authentication method. 

Why is two-factor authentication necessary?

Usually, it is difficult to identify a cracked or stollen password, allowing an attacker to access your account any time and unnoticed. Also, relying on a device to keep your credentials can be risky because it can be stolen. 

However, you can combine something you have and something you know to stay more secure if your password is cracked or your device is stolen. For example, if you lose your device, the finder or the thief won’t be able to access your accounts without your passwords. On the other hand, if your login credentials are compromised, hackers will not access your accounts without your device. 

What to look out for when choosing two-factor authentication 

The authentication of identity theory has three main factors: 

  • Something you have 
  • Something you know 
  • Something you are 

In most cases, you will be identified on the internet with ‘something you know’ like a password or security question. This risk is that you could forget or not be the only one who knows it, i.e., because you willingly or unwillingly shared the knowledge. Moreover, a third party can get this information through social media for answers to common security questions like your pet’s name, etc. 

The next factor is ‘something you have’ like a SIM card or security key. This factor is usually used as a backup if you forget your password. 

Lastly, it is ‘something you are’ like your face or fingerprint and voice recognition. However, this is mainly used in military facilities and not civilians. 

When we talk about two-factor or multi-factor authentication, there must be a combination of two factors. 

Common two-factor authentication methods 

Text messages 

This is the most popular two-factor authentication method, and it comes through your phone. Nowadays, most people have mobile phones, making it a convenient and common way for users and providers. 

If you lose your phone, you can ask your provider to block your old SIM card and give you another one. Remember that you won’t be able to access your account if text messages cannot get through. 

The method comes with certain security risks. For example, some providers allow someone else to register a new SIM for you or even clone your SIM card. Also, others make it possible for malicious actors to divert text messages to another number, evading your protection. 

In some countries, the authorities can read or divert your text messages, bypassing your security. Furthermore, entering a text message in the wrong service can put you at risk of man-in-the-middle attacks

Regarding privacy, contracts will link you to every service you have registered with your phone. However, keep in mind that you cannot replace a lost SIM card with a prepaid phone contract. Regardless, your mobile phone company can track your identity and where you receive the codes from. 

Authenticator apps

Find a reliable authenticator app like Authy or Google Authenticator and install it on your phone. Configuring an authenticator app with a website generates a QR code, which is saved on your phone. So, when logging into the site, you will receive a time-based one-time (TOTP) password that you have to input to confirm your identity. 

Some authenticator apps allow you to back up the QR code. This will come in handy if you accidentally delete the app, break or lose your phone, as you can set it up again. Other services ask you to safeguard the code somewhere else. But this raises the concern of in what form or where to keep the backup codes safe. 

The privacy risk is that a hacker can link your accounts if the authenticator app requires you to register with your email address. 

Note: Remember that your phone does not need the internet to generate the codes. 

Hardware keys 

This is a physical device resembling a USB stick with a small chip that securely keeps your private key. After you plug in and set up the device with a service, the public key will generate codes to verify your identity. Thankfully, the chances of man-in-the-middle attacks are minimal, unlike authenticator apps and text messages. 

If you lose the hardware key, you can purchase another one. Fortunately, you can download backup codes to use on the new device. 

Hardware keys have excellent security and can even remove phishing attacks if well implemented. However, most services that offer hardware keys require you to register your phone number or authenticator app, which can be risky. 

A good way to ensure your privacy is to purchase the hardware key with cash or cryptocurrency. 

So, which is the best?

Any two-factor authentication method is better than relying on a password alone. An authenticator app can be a good option, but only if you can trust your phone provider (only a few are trustworthy). A hardware key with U2F is also an excellent option in terms of security as it is hack and phish-proof.