Should I use multifactor authentication (2FA) for online accounts?
February 27, 2022 8:03 PM Subscribe
My understanding is that SMS 2FA is fairly easily intercepted and not completely secure. I am also concerned with losing control of my phone number which would keep me from getting into my various important accounts that are using 2FA in a situation such as losing a cell phone. Also if someone was able to access the phone, this would leave my online accounts vulnerable through 2FA. What is the best way to secure an account nowadays, assuming I am using strong passwords and secure password practices (such as varied passwords and managers)?
You might want to get a Couple of Yubikeys for your most secure accounts (Microsoft, Google), most less secure accounts don't allow them. For the next tier down In (too few, but still) many places you should be able to add a TOTP code to your password manager by scanning in a QR code. Try to get a Google Voice or other VOIP phone number to assign as many of the phone based keys to - providers are increasingly hostile to letting you set that up, but those are more secure and portable than your real phone number.
posted by wotsac at 8:37 PM on February 27, 2022 [1 favorite]
posted by wotsac at 8:37 PM on February 27, 2022 [1 favorite]
a few other thoughts: I hear it's gotten better, but my experience with Google Authenticator was that it was a huge pain to port to a new phone. SMS 2FA to your real phone isn't ideal but it's better than nothing - but given the risk of losing your phone and number I avoid it when I can
posted by wotsac at 8:42 PM on February 27, 2022 [2 favorites]
posted by wotsac at 8:42 PM on February 27, 2022 [2 favorites]
SMS is not easily intercepted unless you are very interesting to high level government actors or criminals. It can be done, but that's a matter of if a government spy agency is interested in you or someone wants to steal millions of dollars of Bitcoin from you. Or you pissed off a rare person with the talent to do so that is willing to spend a bunch of effort on making you miserable for little payoff.
If the question is whether you should use 2FA vs. not using 2FA the answer is yes, even bad 2FA is better than 1FA.
If the question is which 2FA to use, for most purposes, a token like a Yubikey is better than a soft token like Google Authenticator which is better than SMS which is better than nothing.
posted by Candleman at 8:47 PM on February 27, 2022 [9 favorites]
If the question is whether you should use 2FA vs. not using 2FA the answer is yes, even bad 2FA is better than 1FA.
If the question is which 2FA to use, for most purposes, a token like a Yubikey is better than a soft token like Google Authenticator which is better than SMS which is better than nothing.
posted by Candleman at 8:47 PM on February 27, 2022 [9 favorites]
Google Authenticator and other TOTP apps (those that let you get the one-time codes) can fairly easily export/import between phones now. The Google app displays a large QR code that another phone can scan to transfer secrets over. Done in a minute. I have mine set up on my main phone and an older phone I have in a drawer. Along with printed backup codes (for a Google account at least) in my wallet, I'm not worried about losing access.
I'm also going to add a security key or two (e.g., Yubikey, Google Titan Security key) as another method of access.
In my particular case, I'm not worried about anyone physically taking my phone, wallet, or security key -- just password compromises -- so the added exposure of having those multiple 2FA methods is minimal. The added benefit of backups and flexibility is well worth it for me.
If someone does get my phone, wallet, or security key, then they still need my password to be able to access an account. I would notice the missing item quickly enough and deauthenticate it. The likelihood of the password being compromised at the same time is minuscule unless I'm targeted by something very powerful. In that case, oh well.
posted by whatnotever at 8:54 PM on February 27, 2022 [1 favorite]
I'm also going to add a security key or two (e.g., Yubikey, Google Titan Security key) as another method of access.
In my particular case, I'm not worried about anyone physically taking my phone, wallet, or security key -- just password compromises -- so the added exposure of having those multiple 2FA methods is minimal. The added benefit of backups and flexibility is well worth it for me.
If someone does get my phone, wallet, or security key, then they still need my password to be able to access an account. I would notice the missing item quickly enough and deauthenticate it. The likelihood of the password being compromised at the same time is minuscule unless I'm targeted by something very powerful. In that case, oh well.
posted by whatnotever at 8:54 PM on February 27, 2022 [1 favorite]
Having 2FA is still the best way to add additional security to your online accounts. I have some prior experience with people trying to get in to my email accounts, and having 2FA has thwarted them so far. SMS isn't ideal, but it's better than nothing. An external key like Yubikey is likely best and most secure, but that also adds additional complexity.
I use Google Authenticator. Agree that moving to a new phone is a pain, but as long as you remember to go through and set them up on the new phone before wiping the old phone, it's not too bad. (And I have more than three dozen accounts in there.) Most places will also give you one-time codes that you keep safe somewhere else, so you can get in to your account even without your phone. That's true both for a physical/software authenticator and for SMS. I keep a USB drive with the emergency codes saved as files. At work, I also have them printed and in a folder in the file cabinet. I have yet to be completely locked out anywhere, even the time when I accidentally forgot to transfer the codes before wiping my old phone. It just took a bit more time to recover, is all.
posted by gemmy at 8:55 PM on February 27, 2022 [2 favorites]
I use Google Authenticator. Agree that moving to a new phone is a pain, but as long as you remember to go through and set them up on the new phone before wiping the old phone, it's not too bad. (And I have more than three dozen accounts in there.) Most places will also give you one-time codes that you keep safe somewhere else, so you can get in to your account even without your phone. That's true both for a physical/software authenticator and for SMS. I keep a USB drive with the emergency codes saved as files. At work, I also have them printed and in a folder in the file cabinet. I have yet to be completely locked out anywhere, even the time when I accidentally forgot to transfer the codes before wiping my old phone. It just took a bit more time to recover, is all.
posted by gemmy at 8:55 PM on February 27, 2022 [2 favorites]
I have moved two a new phone twice in recent memory of being a heavy Google Authenticator user and it is one of the easiest parts of new phone transfer. You just open old app and new app at the same time and and scan a QR code.
posted by phunniemee at 9:15 PM on February 27, 2022 [2 favorites]
posted by phunniemee at 9:15 PM on February 27, 2022 [2 favorites]
Multifactor authentication, yes, they need to also have your password. So if today they only need your password, but tomorrow they need your password AND an SMS, that's more secure no matter how leaky the SMS security is.
SMS for password recovery, that is what's going in the cases you read about where people can trick the phone company into giving them a SIM with your phone number and then they get into your bank account. That's also not something you usually can control to turn on/off, and the other password recovery methods are often also pretty insecure if someone already has your personal info. But that's where you'd get the biggest impact - use 2fa in case someone gets your password, and check on your password recovery settings and make sure they're difficult enough to fake.
posted by Lady Li at 10:00 PM on February 27, 2022
SMS for password recovery, that is what's going in the cases you read about where people can trick the phone company into giving them a SIM with your phone number and then they get into your bank account. That's also not something you usually can control to turn on/off, and the other password recovery methods are often also pretty insecure if someone already has your personal info. But that's where you'd get the biggest impact - use 2fa in case someone gets your password, and check on your password recovery settings and make sure they're difficult enough to fake.
posted by Lady Li at 10:00 PM on February 27, 2022
I use Authy myself.
Two-factor works, despite its weaknesses. And you can mitigate the weakness by NOT using an interceptible method such as SMS. And one of the alternate factors you can use is an authenticator, either hardware, or software. Since they were synchronized long beforehand, an authenticator cannot be intercepted, and thus, is NOT vulnerable to full phone hijack / porting scam (where the hacker simply claim to be you and take over your phone number). Simply get to a Wifi access point, get back on the net, and your authenticator would still work... UNLESS the scammers got into your account via a different method such as SMS recovery or such.
Authy works for almost all authenticators EXCEPT places that specifically call for Microsoft Authenticator.
And there are hardware authenticators that doesn't need a smartphone. They are the size of a credit card with a tiny little display, which would be even MORE secure... Unless you lose the device, of course.
posted by kschang at 1:41 AM on February 28, 2022
Two-factor works, despite its weaknesses. And you can mitigate the weakness by NOT using an interceptible method such as SMS. And one of the alternate factors you can use is an authenticator, either hardware, or software. Since they were synchronized long beforehand, an authenticator cannot be intercepted, and thus, is NOT vulnerable to full phone hijack / porting scam (where the hacker simply claim to be you and take over your phone number). Simply get to a Wifi access point, get back on the net, and your authenticator would still work... UNLESS the scammers got into your account via a different method such as SMS recovery or such.
Authy works for almost all authenticators EXCEPT places that specifically call for Microsoft Authenticator.
And there are hardware authenticators that doesn't need a smartphone. They are the size of a credit card with a tiny little display, which would be even MORE secure... Unless you lose the device, of course.
posted by kschang at 1:41 AM on February 28, 2022
Personally I can't be arsed using 2FA. I rely completely on unique, long, machine-generated, random passwords stored in a KeePass-compatible database file encrypted off a long, machine-generated, random master password.
The authoritative copy of the database file is in a Dropbox folder, so it automatically gets backed up onto all of the devices I access it from. So not only are all my passwords uncrackable, I never lose one (not one loss in over ten years of working this way) and never need to exercise "I forgot my password" account recovery. In fact I do my best to break account recovery, using long, machine-generated, random, meaningless answers to mandatory "security" questions and invalid recovery phone numbers and email addresses wherever I can get away with doing so.
On desktop machines I use KeePassXC and the KeePassXC-Browser extension to work with my KeePass database file. KeePassXC also lets me set up TOTP authentication that's compatible with any RFC 6238 compliant authenticator like Google's or (with a bit of extra fiddling) Symantec's, and this lets me avoid needing to hunt down my second factor even for sites like my bank that insist that I need one.
On my phone I use the official Dropbox app along with KeePassDroid. KeePassDroid doesn't support the TOTP stuff, but the phone can run both Google Authenticator and Symantec VIP natively so it doesn't need to.
Each credentials entry in the database also stores the URL for the login page of the associated service, and I'm completely religious about always using those stored URLs to open online sessions with those services. Near as I can tell, that makes me completely phishing-proof.
My rationale for avoiding 2FA is that I don't believe I need an extra layer of protection. The way I use my password manager already makes my online accounts insanely harder to compromise than has unfortunately become customary.
All my desktop computers run Debian, not Windows, and I'm confident in the unlikeliness of their ever getting tampered with to the extent required to exfiltrate my master password. And I honestly cannot see how using KeePassDroid to log in on a phone, and then using Google Authenticator on that same phone, actually counts as 2FA in the first place - it strikes me as pointless hoop-jumping.
So my best advice on 2FA is this: if your present credential management practices are as unbelievably shitty as most people's, then turning on 2FA all over the place will indeed yield a worthwhile improvement in your online security. But using competent password management software the way it should be used will yield a far greater improvement, leaving you so astronomically unlikely to be compromised that 2FA is essentially security theatre, and also far less likely to end up locked out of anything by accident.
posted by flabdablet at 4:40 AM on February 28, 2022 [2 favorites]
The authoritative copy of the database file is in a Dropbox folder, so it automatically gets backed up onto all of the devices I access it from. So not only are all my passwords uncrackable, I never lose one (not one loss in over ten years of working this way) and never need to exercise "I forgot my password" account recovery. In fact I do my best to break account recovery, using long, machine-generated, random, meaningless answers to mandatory "security" questions and invalid recovery phone numbers and email addresses wherever I can get away with doing so.
On desktop machines I use KeePassXC and the KeePassXC-Browser extension to work with my KeePass database file. KeePassXC also lets me set up TOTP authentication that's compatible with any RFC 6238 compliant authenticator like Google's or (with a bit of extra fiddling) Symantec's, and this lets me avoid needing to hunt down my second factor even for sites like my bank that insist that I need one.
On my phone I use the official Dropbox app along with KeePassDroid. KeePassDroid doesn't support the TOTP stuff, but the phone can run both Google Authenticator and Symantec VIP natively so it doesn't need to.
Each credentials entry in the database also stores the URL for the login page of the associated service, and I'm completely religious about always using those stored URLs to open online sessions with those services. Near as I can tell, that makes me completely phishing-proof.
My rationale for avoiding 2FA is that I don't believe I need an extra layer of protection. The way I use my password manager already makes my online accounts insanely harder to compromise than has unfortunately become customary.
All my desktop computers run Debian, not Windows, and I'm confident in the unlikeliness of their ever getting tampered with to the extent required to exfiltrate my master password. And I honestly cannot see how using KeePassDroid to log in on a phone, and then using Google Authenticator on that same phone, actually counts as 2FA in the first place - it strikes me as pointless hoop-jumping.
So my best advice on 2FA is this: if your present credential management practices are as unbelievably shitty as most people's, then turning on 2FA all over the place will indeed yield a worthwhile improvement in your online security. But using competent password management software the way it should be used will yield a far greater improvement, leaving you so astronomically unlikely to be compromised that 2FA is essentially security theatre, and also far less likely to end up locked out of anything by accident.
posted by flabdablet at 4:40 AM on February 28, 2022 [2 favorites]
Google Authenticator has an export now, so you can move stuff off your phone if you need to. In my experience, doing the standard migrate to a new phone process (on iPhone) moved my Authenticator stuff anyway, but it's nice to have the export too (especially if you're moving between platforms, or maybe on Android; don't know how the transfer situation works on Android).
Google Authenticator is far from the only TOTP app - Authy, Microsoft Authenticator, Duo, and maybe your password manager all do basic TOTP stuff too, so if you want to add that to a given account, you may already have a TOTP app. (My personal stack includes BitWarden* for password management (it also does TOTP, but I don't use it for that), a YubiKey for really important stuff, and a handful of TOTP apps since some services integrate specifically with a particular one. For example, SendGrid uses Authy specifically, and my employer's SSO stuff is all tied into Duo; both apps have some TOTP accounts too so they're sort of organized into functional groups. Most of it ends up in Google Authenticator, though.)
* which used to be 1Password, which also has a built-in TOTP authenticator, amongst others. 1P was my go-to recommendation for password managers until they decided to hitch their wagons behind cryptocurrency and NFTs. That may or may not matter to you.
posted by mrg at 5:50 AM on February 28, 2022
Google Authenticator is far from the only TOTP app - Authy, Microsoft Authenticator, Duo, and maybe your password manager all do basic TOTP stuff too, so if you want to add that to a given account, you may already have a TOTP app. (My personal stack includes BitWarden* for password management (it also does TOTP, but I don't use it for that), a YubiKey for really important stuff, and a handful of TOTP apps since some services integrate specifically with a particular one. For example, SendGrid uses Authy specifically, and my employer's SSO stuff is all tied into Duo; both apps have some TOTP accounts too so they're sort of organized into functional groups. Most of it ends up in Google Authenticator, though.)
* which used to be 1Password, which also has a built-in TOTP authenticator, amongst others. 1P was my go-to recommendation for password managers until they decided to hitch their wagons behind cryptocurrency and NFTs. That may or may not matter to you.
posted by mrg at 5:50 AM on February 28, 2022
Response by poster: I've not heard about Google Authenticator. Is it more secure than the usual alerts that I get when logging in to a Google account (not SMS but a popup notification on all my devices)?
posted by roaring beast at 8:50 AM on February 28, 2022
posted by roaring beast at 8:50 AM on February 28, 2022
It's likely that what you have, roaring beast, is called "Smart Lock" and is only for your Google-related accounts. It's more secure than Google Authenticator, and is actually using notifications and Bluetooth as the "something you have" part of the security equation, similar to a YubiKey.**
Google Authenticator is an app where you get a six-digit code to enter on websites, and you can have all kinds of accounts there, not just your Google-related ones.
** As in 2FA being "something you have" (phone) plus also "something you know" (password)
posted by gemmy at 11:34 AM on February 28, 2022
Google Authenticator is an app where you get a six-digit code to enter on websites, and you can have all kinds of accounts there, not just your Google-related ones.
** As in 2FA being "something you have" (phone) plus also "something you know" (password)
posted by gemmy at 11:34 AM on February 28, 2022
Google Authenticator implements a general purpose Time-based One-Time Password (TOTP) facility that's designed to do the same job as second-factor verification codes sent via SMS, but without needing any such code to be sent out from the server and therefore being at risk of interception and/or redirection.
TOTP does a different job from Google's login alert popups. Asking which is "more secure" is like asking the same thing about padlocks vs surveillance cameras.
It is more secure than its SMS-based alternative. Any attack capable of succeeding against TOTP would also succeed against SMS-sent codes, but there are several ways to subvert SMS codes that can't work against TOTP.
posted by flabdablet at 11:44 AM on February 28, 2022
TOTP does a different job from Google's login alert popups. Asking which is "more secure" is like asking the same thing about padlocks vs surveillance cameras.
It is more secure than its SMS-based alternative. Any attack capable of succeeding against TOTP would also succeed against SMS-sent codes, but there are several ways to subvert SMS codes that can't work against TOTP.
posted by flabdablet at 11:44 AM on February 28, 2022
SMS is not easily intercepted unless you are very interesting to high level government actors or criminals.
Actually intercepting a text may not be feasible, but simjacking is far more doable.
(Authenticator apps are the way to go wherever possible.)
posted by Pryde at 6:34 PM on March 1, 2022 [1 favorite]
Actually intercepting a text may not be feasible, but simjacking is far more doable.
(Authenticator apps are the way to go wherever possible.)
posted by Pryde at 6:34 PM on March 1, 2022 [1 favorite]
And I honestly cannot see how using KeePassDroid to log in on a phone, and then using Google Authenticator on that same phone, actually counts as 2FA in the first place - it strikes me as pointless hoop-jumping.If you are interested in using a YubiKey, you can retain the second factor aspect of 2FA by using the Mobile Yubico Authenticator app, which requires the YubiKey to be scanned via NFC or inserted in a USB C or Lightning port and tapped to display the one-time code.
posted by Strutter Cane - United Planets Stilt Patrol at 2:56 AM on March 2, 2022
Yubikey is a hardware authenticator. There's also Google's Titan Key. a similar hardware device. Google issued one to EVERY employee, and they've virtually eliminated phishing.
posted by kschang at 3:16 AM on March 2, 2022
posted by kschang at 3:16 AM on March 2, 2022
Actually intercepting a text may not be feasible, but simjacking is far more doable.
It's doable but you have to be really interesting for the most part. "The FBI received 1,600 complaints about SIM-swapping in 2021" - that's a drop in the bucket of the cases of fraud out there. If you don't have reason to believe there'll be a high payout (either monetarily or because you have a grudge against the person), that's a lot of work just to find out that the victim has $8.32 in their savings account. Authenticator apps are vastly better but unless you are publicly known to be wealthy, have pissed off the wrong person, or are associate with dissident groups, SMS is generally good enough and certainly beats no 2FA or KBAs. Non-targeted fraud almost exclusively goes after the low hanging fruit or relies on trojaning a victim's system such that even some 2FA systems are bypassed (why log in as a user when you can just steal their session cookie?).
posted by Candleman at 3:47 PM on March 2, 2022
It's doable but you have to be really interesting for the most part. "The FBI received 1,600 complaints about SIM-swapping in 2021" - that's a drop in the bucket of the cases of fraud out there. If you don't have reason to believe there'll be a high payout (either monetarily or because you have a grudge against the person), that's a lot of work just to find out that the victim has $8.32 in their savings account. Authenticator apps are vastly better but unless you are publicly known to be wealthy, have pissed off the wrong person, or are associate with dissident groups, SMS is generally good enough and certainly beats no 2FA or KBAs. Non-targeted fraud almost exclusively goes after the low hanging fruit or relies on trojaning a victim's system such that even some 2FA systems are bypassed (why log in as a user when you can just steal their session cookie?).
posted by Candleman at 3:47 PM on March 2, 2022
This thread is closed to new comments.
posted by jessamyn at 8:35 PM on February 27, 2022 [1 favorite]