Two-Factor Authentication (2FA) Best Practices

Two-factor authentication (2FA) is hands-down the best way to increase online account security. It’s also true tighter security typically results in less convenience. Few things are more inconvenient than having your accounts hacked though, so let’s review the basics of authentication as well as 2FA shortcomings and best practices and a few tips to help reduce the chance of lockout.

Authentication factors

A good place to start is a review of authentication factors. There are three common strategies for identifying people:

  • Something you know: like a username and password, your first grade teachers name, where you were born, etc.
  • Something you have: like a mobile app, a phone number, a key (digital or physical), etc.
  • Something you are: like your face, fingerprints or any other biometrics.

By definition, 2FA means using two of the above strategies for person identification.

 

Common 2FA mechanisms

Username and password (“something you know”) is almost always the first factor of authentication for access to web and mobile apps. Biometrics (“something you are”) have promise but still require open web standards with broad vendor support to see significant adoption online (the most promising option is the new W3C web authn standard. For the purpose of this blog we will focus on best practices for securing accounts with the most common forms of “something you have” 2FA, namely:

  • One-Time Passcodes (OTP): OTPs are by far the most common form of 2FA online. OTPs are a passcode (typically a string of numbers) that is valid for only one login session or transaction. The most common mechanisms for delivering OTPs to people are via phone–SMS, voice, & mobile apps–and physical OTP cards.
 
  • FIDO Universal 2nd Factor (U2F) keys: U2F is an open authentication standard that uses strong public key cryptography to make a direct bind between a person’s U2F security key (like a Yubikey) and a user account in an authentication server. U2F protects against phishing, session hijacking, man-in-the-middle, and malware attacks, making it one of the strongest forms of authentication available on the Internet.

 

2FA shortcomings & best practices

There are a few common usability issues with “something you have” 2FA:

  • If you don’t have the “thing”, you are unable to pass authentication;
  • If the device in use can’t support the 2FA mechanism, you are unable to pass authentication.
  • If an account relies on only one 2FA mechanism there is a single point of failure;
  • If a strong credential can be reset with a weaker one, like an email to an unsecured account, the strong security can be easily bypassed;

 

2FA mechanisms should be thought of like tools in an authentication tool belt–the more ways you can securely identify yourself, the better prepared you are to handle edge cases like when you lose your phone.

Consider the variety of 2FA mechanisms that can be enrolled to secure a Google account. Of course you could have 10 different strong credentials and still find yourself without one when needed. But to increase security and reduce the chance of lockout, the best practice for “something you have” 2FA is clear: register multiple phone numbers, mobile apps, and U2F security keys wherever possible to safeguard your accounts.

Having more strong credentials at your disposal offers greater situational convenience and backups when the primary credential is unavailable.

2FA tips & tricks

In addition to registering multiple credentials and types of credentials, here are a couple specific recommendations to make sure you can always pass 2FA:

  • When registering a phone number to secure an account, use a Google Voice number and/or a dedicated “burner phone” number instead of (or in addition to) your mobile phone number. Why? You don’t control your mobile phone number–your phone operator does. 
  • If you have a significant other (that you trust :), register one or more of their phone numbers and 2FA devices against your accounts. In case you lose access to your device(s), you can pass 2FA using your s/o’s device.

 

Supporting 2FA at your organization

So which websites support strong and flexible account security… As noted above, Google for sure. GitHub, Facebook, Stripe and other large providers also support “self-service” 2FA, allowing people to enroll and manage many phone numbers, apps, and keys to secure their account. 

Try Casa included with the Gluu Server