Data Breach Defense: Multifactor Authentication
What is Multifactor Authentication?
Multifactor authentication is when a service requries an extra step to authenticate you during login aside from simply username and password. This could take the form of a text message, a code generated by an app (sometimes called by its technical name “TOTP,” or “Timed One-Time Password”), a push notification, a hardware device, or even biometric authentication.
There are multiple factors of authentication, but this site addresses the two most common: something you know and something you have. Something you know is the username and password, while something you have is typically the six-digit code you have on your device or a hardware token (discussed further down). When only two forms of authentication are required, it is considered “two-factor” authentication (often abbreviated as 2FA). When more than two forms of authentication are required, it is “multi-factor” authentication, or MFA. Technically all 2FA is MFA, but not all MFA is 2FA.
Why do I Need Multifactor Authentication?
According to Microsoft, this one technique can stop up to 99.9% of unauthorized account accesses. With MFA enabled, even if an attacker gets your username and password they would still be unable to login without the second factor.
What Should I Look For in a Multifactor Authentication Solution?
When picking an MFA solution, be sure to pick something you will use consistently. For example, if you need the ability to log into your account from any computer at any given time, a hardware key may not be convenient for you. You should also avoid SMS 2FA whenever possible because it is relatively easy for an attacker to steal your phone number and recieve the incoming 2FA text. Use SMS if nothing else is available, but use something better if you have the option. Lately push notifications have also become a risk in attack known as ”MFA fatigue” in which the attacker will spam the user with requests until the user either accepts the login to make the requests stop, or accidentally accepts one. The order of recommended 2FA methods from strongest to weakest are hardware keys, TOTP, push notifications, email (especially if secured with TOTP or better), and finally SMS. TOTP will be the sweet spot for most people.
Listed in alphabetical order, not order of recommendation
Available on F-Droid
Allows automatic backups (cloud only)
Encryption is automatic
Can sync with Mac app (requires iCloud)
Login feature is mandatory
Click here to see my criteria for selecting these services
Click here for a visual version of this chart
Honorable Mention: Hardware Tokens
For most people TOTP will provide the best blend of security and convenience. However, for those who require additional protection many hardware keys exist that provide maximum protection at very little additional cost and effort. Hardware tokens are physical devices that plug into your computer via USB. If an account is configured to use a hardware token, the device must be plugged in rather than entering a code. They are nearly perfect additional security because they can’t be remotely hijacked the way that other keys can, but aren’t very durable and may not be a good choice for a laptop or someone who travels a lot. Some of the more common and recommended hardware keys include OnlyKey and Yubikey. Less common but open source options include LibremKey, Nitrokey (non-affiliate link), and SoloKey.
Other Forms of Authentication
As mentioned above, there are many additional forms of authentication, including something you are (biometric identification like fingerprint or iris scans) and somewhere you are (a website that requires your IP address to match your area of residence or work, for example). Personally, I don’t recommend using these when the option exists for various reasons. Factors like somewhere you are can be highly invasive and can thwart other privacy strategies I recommend, like the use of a VPN. Something you are is widely considered secure because the resources required to spoof a person’s biometric identity are typically intense and reserved only for high-level threats. However it is worth noting that historically these kinds of things become less difficult over time and if your biometric information gets leaked then you can’t change them the same way you can change a password or OTP key (software/hardware token). As I’ve said before, the most important thing is that you find a 2FA solution that you will use consistently, so if these are the only solutions that work for you then I would recommend them, however I would encourage you to stick to something you have whenever possible. (It’s the most widely supported anyways.)
MFA can typically be enabled under the “Security” settings of your account, though it may sometimes be under a similar but different setting such as “Login” or “Account.” It also sometimes goes by other names such as “two-step login” or “Authenticator App.” Some websites will explicitly list Google Authenticator, but any two-factor app listed here will work. I suggest you stop what you’re doing immediately and enable MFA for your most critical accounts. Bank, email, and other accounts you can’t afford to live without. Do it right now before you do anything else.
For the rest of your accounts, I recommend enabling MFA “as you go.” This means you enable on a per-account basis as you login or use it. For example, next time you log into eBay, enable MFA. Then, next time you log into Discord, enable MFA. In time every account will have a unique, strong password.
Tips & Tricks
Most sites have an option during the second login screen to “remember this device for 30 days” or something similar. This will keep you logged in without requiring your MFA code for the indicated amount of time. In the past I recommended this with some caveats, but I no longer recommend this due to a rise in malware that can steal your authentication cookies, allowing an attacker to bypass the login process entirely.
Logging in every time will not protect you completely against this type of attack, but it can potentially prevent an attacker from stealing every single account cookie instead of just the ones that you logged into while your device was infected.
When you sign up for MFA, most sites will issue you backup codes. Be sure to write these down somewhere safe in case you lose your MFA device. I recommend saving them in the notes section of your password manager, but beware that this does potentially create a single point of failure. Be sure to take extra precautions if you do this.
Some password managers offer the ability to store your MFA key to make your login process more convenient. This can be helpful, but just as with saving your backup codes, you’re creating a single point of failure. Make sure you’re taking extra precautions if this is the path you decide to take.
If using a hardware token, I recommend buying two copies and keeping the second in a safe place as a backup in case the first one gets broken. Just as with other kinds of data backups, be sure to keep it regularly updated.
2FA Directory is a useful website to see if services you use or are considering using allow two-factor authentication and which kind.