Two-factor authentication (2FA) isn’t anything new, but it has been enjoying a very bright spotlight over the past couple of years. And for good reason. The cybersecurity risks are getting more and more serious and any extra protection to online services is more than welcome.
Sadly, it’s not all great. 2FA is a bit time-consuming and requires some extra effort to set up and use. And when it comes to consumers, companies try to find a balance between convenience and overall security. As a result, they look for easy ways to add 2FA features like SMS codes. However, they aren’t the best option out there.
Risks of SMS 2FA
The whole point of 2FA is to add another layer of security and make it more difficult to access user profiles and data. As such, it adds another way of identifying and confirming that the user who is trying to access the given account is the actual owner of the profile.
Using an SMS code is one of the most popular ways as it’s the easiest. Simply send the user a code via SMS which they have to input after entering their original password. The problem with this setup is that it is also the easiest to intercept by hackers. Also, it’s easy to automate with scripts. Using SMS as 2FA is one of the weakest forms of two-layer securities. It’s better than no 2FA whatsoever, but if you have the opportunity to use a different method, do so.
The most popular alternative to SMS is 2FA Apps. And the most popular among them is Google Authenticator. It’s also among the best overall as chosen by PC World. The good thing about Google Authenticator is that it’s relatively easy to set up and it’s also compatible with lots of online services. And it’s free. Of course, it’s also not 100% secure, although there’s really no such thing anyway.
LastPass Authenticator is another alternative. It works with fewer online services, but it does integrate with several sites and password managers. Microsoft also has a service called Microsoft Authenticator. It can also be used for approving logins from any device.
Another service, Authy, also focuses on the fact that some people change devices often and they have to re-approve them all the time. This service (it has a free version, too) stores all tokens in the cloud, making it easier to login from any device.
andOTP is a new addition to the scene which is open-source and supports TOTP protocol. It aims to be simple to use and supports Google Authenticator. Another similar open-source alternative is FreeOTP Authenticator. It supports the popular platforms and even GitHub. And you can use it with TOTP and HOTP, too.
If security is your main priority, then hardware 2FA solutions are your choice. They are the safest way to secure your account(s) and data. Of course, they are also the least convenient.
The main reason for that is that you have to have a physical security key (aka U2F) with you and plug it into the device you’re logging in from every time. There are also NFC alternatives, which are suitable for smartphones. But if you lose or damage the key, then you have to redo all accounts and re-authenticate them to the new key which can be super tedious.
There are plenty of U2F keys out there. The cheap ones start at about $15 a pop and they can reach above $50 for some more special solutions. It’s best to opt for a model which is FIDO Certified.
This is means it can work with the FIDO Alliance members’ platforms and tech like Google, Microsoft, Bank of America, MasterCard and so on. You also need a device which supports FIDO, but considering the big names that are supporting the tech and already implementing it in their services and products, it’s a future-proof bet to look for one like that.