APT-GET KNOWLEDGE

Considering Mainstream 2FA Options

General Aug 9, 2017

What is 2FA

Passwords are the gateway to our online lives. Historically people have not taken great care to safeguard these keys to the castle in the way they should be. Every year we see reports of the latest password fails and follies. What doesn't get mentioned in those reports, is there are additional measures readily available to users to help secure their digital assets. Authentication can be something you know (like a password), something you possess (like a number or unique token), or something you are (such as biometrics/fingerprints). 2-factor authentication just means using 2 of the above methodologies to enhance your security.

Why is it important

There are multiple examples where implementing a form of 2FA can save you from not only embarrassment and inconvenience but also financial loss and more serious issues. When you see breaking news involving a public figure's social media account getting hacked or a company getting hacked and users having their account details dumped, consider how this could have been prevented. Most popular social media companies, such as Facebook and Twitter,  give their users the option to use 2FA, and some companies even reward users with either more free storage space or gaming companies providing free in-game loot. If someone ever does get a hold of your password, it will do them no good due to needing that second form of authentication to access the account.

Types of 2FA

OTP (One Time Password) is the second form of authentication used in 2FA (the first being the standard password). The OTP can come in the form of a hardware (dedicated USB key or YubiKey), or software (Google Authenticator, Authy) token. For OTP to work, it relies on standard algorithms to function properly, those being TOTP and HOTP (Time-Based OTP and HMAC-Based OTP). While both utilize a shared secret, they differ on the ‘move’ factor. TOTP as the name implies, is based on epoch time, where the password or token is changed depending on the time passed since the last OTP request. HOTP’s move factor is event based, in that any time an OTP is requested, the move factor is incremented, and a new password is received every time.

Google Authenticator

Pros

  • Does not require cellphone/internet connection

  • Small footprint (under 2MB)

  • Most popular, meaning extensive documentation and support

Cons

  • Lots of wasted space in UI.

Price

  • Free

Authy

Pros

  • Mobile application/browser extension/Desktop application

  • When using multiple devices (mobile and desktop), you can sync them to all show the same authentication code and created accounts, exponentially increasing convenience.

  • Control and device management. In the event you lose your phone, you can remove it from the authorized device list and get new tokens so the phone no longer sync with new tokens.

Cons

  • Initial setup can take time.

  • Syncing of shared secret in the cloud for multiple device support can be a security risk some are not willing to take (in which case, use a standalone device and don't sync)

Price

  • Free (for under 100 authentications per month)

YubiKey

Pros

  • Excellent user support. Support via email and support tickets online. Also great documentation available.

  • Easy to use (one button)

  • Supports FIDO U2F and NFC

Cons

  • Does not support as many sites/applications as the software tokens.

  • Small and therefore easy to lose.

Price

  • Varies. Standard YubiKey USB key starts at $40.

As you can see, each option comes with its areas where they excel and where compromises are made. Which one you choose depends on your specific needs and requirements. I have personally used Google Authenticator in the past and found it to work fine for a limited number of accounts. During the time of writing this review, I have recently downloaded and tried out features of Authy and found it to be a nice experience between its UI, syncing, and support. I reached out to Authy Support concerning a feature request and received a response and follow-up 8 minutes after opening the ticket! I explored the different YubiKey options but found the cost, limited support, and possibility of losing the key too prohibitive for my needs.

Reference:
https://blog.devolutions.net/2016/10/most-popular-2-factor-authentication-2fa-compared.html
https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
https://authy.com/
https://www.yubico.com/products/yubikey-hardware/

Tags

Frankly Fuzzy

Recommended for you