Online accounts and passwords are more vulnerable to hacking than ever, with major database breaches seemingly happening every day.
That’s why it’s so important to protect your accounts with not just a strong password – but multiple layers of security working in tandem to ensure your information stays private.
What is multi-factor authentication?
Multi-factor authentication, often called MFA or 2FA, is a great way to beef up security by adding an extra step to log into your account. That makes it Ach more difficult for people without the proper credentials to log in.
One of the most common methods used by platforms today is based around time-based one-time passwords, or TOTP. Authenticator apps are the most common way to generate these passwords.
How does it work?
An online account compatible with the method can generate a unique QR code that pairs the account with the authenticator app of choice.
Both the account and the app receive a secret shared key – a randomly generated, encoded string of characters. The hashing algorithm that randomises the string, the code length, and the time step are all also shared.
From then, the app takes the current Unix timestamp and divides it by the time step to get a counter.
The counter is then run through the algorithm using the shared secret as the key.
Then, the output is shortened to a 6-digit number.
Both sides do this with the same secret and time stamp, so they can arrive at the same number without communicating – the server just checks that the code matches.
Since the time step is usually only 30 seconds, codes are invalidated very quickly, so interception is not useful. Additionally, the secret itself cannot be reverse-engineered from the code.
The biggest risk to the system is secret storage – some apps back up the secret to a cloud service in plaintext, meaning you’ll want to choose a trustworthy platform that encrypts the secrets.
Why use an authenticator? Why not SMS?
The Australian Signals Directorate flags SMS as a less secure option than other forms of multi-factor authentication.
SMS is a significantly less secure way to authenticate than timed one-time password options, and there are several reasons.
SMS security is weak
SMS 2FA codes are sent unencrypted to your device, making them vulnerable to number spoofing or man-in-the-middle attacks.
If an attacker has your mobile number, they can try to get your number transferred to an account that they control, after which all your codes will go to them.
The underlying protocol that SMS relies on was never designed with security in mind, and has exploitable flaws that an attacker can leverage. Additionally, if your device has any malware on it, SMS codes can be intercepted and stolen before you ever see them.
Authenticators generate and display codes locally
Authenticator apps generate codes locally, meaning there’s nothing sent over a network for an attacker to intercept.
The actual codes expire every 30 to 60 seconds in most cases, meaning they’re quite difficult to steal and reuse by attackers. SMS codes often take up to 15 minutes to expire, meaning they’re more vulnerable.
However, even SMS is better than nothing
Even if SMS is considered a weaker method than TOTP, it’s much better than not having multi-factor authentication at all. If the service you’re using provides an SMS option but no TOTP option, you should still opt into it instead of nothing at all.
What multi-factor authentication options are available?
Many options are out there for authentication – both paid and free. The time-based one time password algorithm itself is a cornerstone of open authentication, so there are many excellent free options.
When opting for one, there are a few features to keep an eye out for. At their most basic, authenticator apps display a code that you enter into a website when logging in.
However, some apps are able to give you easier access with one-tap approvals for compatible services.
Some apps allow you to use them without a login, but you’ll miss out on features like cloud syncing and backup, which can make it difficult to retrieve accounts if you lose your phone.
Others are part of a broader suite of tools, combining password management and authentication into one app that streamlines your account management process.
Bitwarden Authenticator
Bitwarden is by far my favourite option for both password management and authenticator usage.
The program is fully transparent, open-source and undergoes regular auditing to ensure it’s one of the most secure methods on the market for managing your online accounts.
Best of all, Bitwarden has a completely free tier so you don’t have to pay anything to get set up.
To use it, you’ll have to set up an account. Once you’ve done that, you can use Bitwarden across PC, Mac, and mobile platforms with simple biometric logins or a master password option.
Both the password manager and authenticator are available for free as separate apps.
If you upgrade to a paid tier, you can store MFA passcodes alongside the accounts they are available for right in the account management app. Then, when you autofill a password the app will even copy the MFA passcode to your clipboard to streamline your login.
Bitwarden provides robust apps with autofill solutions for both desktop and mobile platforms, making it easy to share passwords from your PC to your smartphone.
The system syncs your authenticators and passwords across platforms from the company’s highly secure cloud storage, or you can even self-host the full stack if you’re an enthusiast looking for an extra layer of privacy while taking care of your own security.
You can check out Bitwarden and find out the benefits on their website.
YubiKey
If you’re looking for the gold standard in account security, you might want to check out physical options like YubiKey.
Instead of using a passcode like other apps, Yubikey is a physical object that you either plug into your device or tap via NFC to authenticate a login.
Unlike authenticator apps, YubiKey uses a public key cryptography method that makes it more robust against phishing attacks.
There are a range of YubiKey options available, from basic USB and NFC options to biometric authentication methods with fingerprint.
YubiKey is a one-time purchase model for individual usage, and keys start from about $50.
Once you have one, you can connect it to your accounts and password manager including Bitwarden and 1Password, making it easy and convenient to make your login more secure.
Initial setup can be a bit of a process while you add it to your accounts, but day-to-day usage is generally seamless and easy.
It’s a great way to add a physical layer of security to your most important accounts, like your email and password manager.
One YubiKey is enough to get started – but it may be tricky to recover your account so consider purchasing two so you have a backup.
To explore information and options, you can check out more on the YubiCo website.
1Password
1Password is a popular paid option that handles password management and authenticator functions with a monthly or annual fee.
It’s quite a bit more expensive than other options like Bitwarden’s paid tier, but offers a slightly more streamlined interface. The company also promises better alerts for breached and reused credentials, stronger secret key encryption, and robust customer service.
The app is built from the ground up to combine both password management and authentication functions, making it easy to manage all your account logins without switching between multiple apps.
Many companies offer 1Password as an option for you to login for work accounts while supplying a personal account as well. You can check out more information on the website.
Microsoft Authenticator
Microsoft Authenticator is another popular free option that supports passwordless login, push notification logins, biometric access, and cloud backup.
Similar to Google Authenticator, this app makes it easy to scan in and access new authenticator codes.
Microsoft Authenticator is a fairly simplistic app that can add and access authenticators from all your accounts without an account – but if you want to sync data across to other platforms, you’ll need to sign in.
Microsoft Authenticator is a great option if you’re already in the Microsoft ecosystem with Office 365. It’s available on Android and iOS app stores.
Google Authenticator
Google Authenticator is a very basic app that’s completely free, works offline, and doesn’t need a Google account to function.
Realistically, though, you’ll probably want an account so that you can sync codes across platforms and more easily retrieve codes if you move to a new device or lose your phone.
There’s no multi-device management or other controls – just authenticator codes and a method to add new accounts to the service.
Google Authenticator couldn’t be much simpler to use and it was early to market, so it’s one of the most popular options available today.
However, it’s a closed-source program that makes it difficult to audit from a security standpoint, meaning it’s unclear how your account secrets are stored.
It’s available on both iOS and Android devices from each platform’s app store.
Security tips when using Multi-Factor Authentication
Regardless of the method or platform you choose, multi-factor authentication is clearly a great way to boost your account security.
There are a few guidelines to remember when using TOTP codes:
- Do not click account sign-in hyperlinks in SMS or emails
- Do not share your TOTP codes or approve unknown sign-ins
- Add additional layers of security like biometrics where possible
- Ensure your passwords, recovery emails, and software are up to date
These simple guidelines will help to ensure your private information stays private.
Comments