We’ve talked about password managers recently here at Ctrl Alt Develop as a great way to not only make your life easier, but also help you to improve your online security by generating secure passwords for you. This is a great first step, but there is secure… and then there’s SECURE.
Today we will explore what multifactor authentication really is, what the tradeoffs are, as well as other considerations. We will look at a number of MFA solutions as well as some recommendations on best practices.
Let’s dive in!
What is 2FA/MFA?
Using 2FA, (two factor authentication)- or MFA (multifactor authentication) is quickly becoming a best practice for even the casual user to protect their more sensitive accounts (email, banking, etc.). While there are a number of ways to implement 2FA, it boils down to utilizing any combination, or all, of the below authentication types:
- Something you know (username and password)
- Something you have (one-time password, phone to receive text, security key, etc.)
- Something you are (fingerprint, retina scan, voice recognition, etc.)
Combining a secure password with a second factor of authentication makes hacking your account(s) difficult to the point of forcing most evil doers (known in the IT community as “bad actors”) to move on and find an easier target. Not all authentication factors are created equal, however. SMS (text based) authentication has been under increased scrutiny because the message that contains the security key is sent over the air in plain text. This makes it easy (well, not easy, but easier than other authentication types) for someone to also receive/view the message and steal the key and gain access to your protected data.
Considerations: Convenience vs. Protection
Security in the information technology industry has long been a game of convenience versus protection. The more secure something is, the harder it is to get to. It’s that simple. In fact this is true in any industry. Money in an ATM outside of the bank is much easier to get to and therefore much less secure. I can walk up, put in my card and pin, and get money out. Quick and easy. On the other hand, someone could break it open and take the money out, tie a chain around it a try to drive off with it or try any number of nefarious means to get at the money.
This is much easier than getting at the banks safety deposit boxes, which are protected by the locks on the entry doors, the security guard, the vault, and the 2 keys used to extract and open the box itself. This also makes the process of getting to the box more difficult even if you are the rightful owner of its contents. You have to go to the bank during normal business hours, wait in line, verify you are who you say you are, remember to bring your deposit box key… you get the picture. The more secure… the harder to get to. Even for the rightful owner.
The goal is to strike a balance between being able to easily access your accounts while still having a reasonable amount of security. The amount of security that is considered reasonable is directly proportional to how sensitive/important the data is that you are trying to protect.
Let’s explore some of the more common options for authentication used right now.
Some of today’s most common forms of additional authentication are:
- TOTP (time-based one time password)
- Push Notifications
- Public Key Cryptography
Let’s take a brief look at each one.
This form of authentication is used fairly often and is very convenient. You enter your username and password to a site or account and it will send you a one-time password (OTP) via text. On most phones, the OTP is often auto-copied into your clipboard for easy pasting into the site or it is simply directly auto-filled on the site. Highly convenient, this option essentially performs the 2nd factor of authentication with little to no action required by the user. It is, as mentioned before however, considered the least secure of the popular options due to the fact that it sends the key code over the air (wireless radio signal) and can be intercepted and/or viewed in plain text in a number of ways. Still, this option is far better than nothing at all as it places additional effort and requirements on someone attempting to steal or hack your information. Still, it’s best to avoid trusting public Wi-Fi especially for this reason.
Another common form of second factor authentication, the email option does exactly what you think it does. Sends a message to your inbox with an OTP for you to copy/paste into the app or site you are trying to log into. This method of verification is also used often for password resets, though it is best when used as a second factor in addition to a known password. Google (gmail) makes this as easy as the text based option, as you merely need to get to your gmail account and a popup will appear for you to approve, rather than having to copy/paste.
Here again, though, the security benefit is less than optimal, since messaging like this does not prove that the right person actually has the device this code is accessed on, according to NIST (the National Institute of Standards and Technology).
TOTP (Time-Based One Time Passwords)
This method is considered far and away more secure than the prior two discussed. TOTP uses cryptographic hashing algorithms to generate a code on your trusted device (usually your smart phone or tablet). The same algorithm is run on the site you are trying to reach. They both separately generate the same code using a “secret” that only the client phone and the server knows, as well as the network time as input. The output will be the same on both ends, so when the code is typed into the site for login it will match the result that the site has on hand and voila! you’re 2nd factor is verified.
The major security benefit to this is that the code does not need to be send prior to the authentication, since both the client and the server generate it separately, reducing the chances of it being intercepted. Man in the middle and phishing attacks can still being used to get at the code, though. The current standard for this is a 6 digit code that is good for 30-60 seconds, then a new one is generated. This happens ad inifinitum.
Currently considered one of the better balances between convenience and security, push notifications offer a higher degree of security than text or email based authentication. In fact, they are often regarded as having equal security to TOTPs, but are much more user friendly than having to type in or copy/paste a 6 digit key. Rather, Push notifications use your phone’s notification system to permit/deny access at the push of a button!
Public Key Cryptography
Without going too deep into super-nerd territory, public key cryptography isn’t exactly new. For as long as it has been around, this simple concept of asymmetric encryption has come a long way. Essentially, a public key can be used to encrypt a message (or authorization code) to another party (web site) that can only be decrypted using a separate private key the the other party has. The public key can be shared freely without consequence. The private keys must be kept safe, but never needs to be transmitted, so is considered extremely safe.
This type of MFA goes by many names with several implementation variants, FIDO, FIDO2, WebAuthn, U2F. But they all adhere to the basic description above. This kind of encrypted 2nd factor authorization is considered very secure and is used not only in apps but in hardware based keys.
What’s a Hardware Key?
Hardware based keys put all of the application logic of public key cryptography and TOTP and cram it into a chip. That chip goes into (typically) a USB based form factor and automates the entire process! When prompted for a second factor, simply plug in your key to the usb and everything automatically takes place. Sounds great right? Well that’s because it is!
Hardware authentication is considered, at the time of writing, the holy grail of data security by many people in the IT and development industries. As per usual, though, there are tradeoffs…
What happens if you lose your key? Well, in many cases- put simply- you’re locked out. Period. Do not pass go, do not collect $200, you are done. That is why most people that utilize this method of security recommend having a backup key stored in a safe place. The other option is to enable a second method of MFA. For instance, have the hardware key be your primary method of verification, but also have an application on your phone with a TOTP generator linked to the same account as a backup means of authentication.
What Are My Options?
While there are numerous options out there, The general rule is if you are willing to enable MFA for your more sensitive accounts (Email, Bank Accounts, E-trading apps, etc.) then you should always opt for something better than Email or text-based verification wherever possible. Some banks do not have any options other than text/email. Again- some form of 2-factor authentication is better than nothing, but if you are given a choice, always opt for TOTP, Push Notifications, or Public Key Cryptography.
Now that we’ve established what the preferred order of security is, we can look at a few applications and hardware options. At Control Alt Develop, we do not recommend products we don’t use. Because of this, our list of recommended options is pretty short:
Software Solution: Authy
Our top pick for a software solution is Authy. it is a free application that can handle SMS, six digit TOTP codes and even Push Notification! While there are other platforms that do some of these (Google authenticator, Microsoft authenticator, etc.), Authy has 3 full verification options and has a few additional benefits versus some of the other options. For one, Authy has great cross-platform support and you can have many authorized devices and de-authorize them instantly from any other device. This is not an option on some other TOTP authorization apps, as they tend to keep you on one device and in some cases restrict you to mobile devices only. This is helpful if one of your devices is lost or stolen, as you’ll be able to de-authorized that device without losing access to your accounts!
With multi-device support, you also don’t have to worry as much about needing to switch to a new cell phone or being without the ability to log into a protected account. You’ve got options! Additionally, you are able to recover your account using encrypted backup codes given to you when you set up the account (keep them somewhere safe!!!).
A free app with a broad range of security options, a backup plan and migration option, Authy is a great choice to try MFA with a very low barrier to entry!
Hardware Solution: YubiKey
For those that want to venture into the land of hardware security options, one of the most popular solutions out there is the YubiKey from Yubico. We’d recommend the YubiKey 5 series. With various authentication methods possible (WebAuthn, FIDO2 CTAP1, FIDO2 CTAP2, Universal 2nd Factor (U2F), Smart card (PIV-compatible), Yubico OTP, OATH – HOTP (Event), OATH – TOTP (Time), Open PGP, Secure Static Password) this tiny little USB works with most online services and applications that allow for hardware based 2FA. Some versions are NFC (near-field communication) enabled and only require you touch your key to the back of your phone!
Again, if you go this route, ensure you either have a 2nd backup key in a secure place, or have a backup authentication method or you run the risk of locking yourself out!
We’ve tested this little key to keep our Bitwarden account secure on both laptop and cellphone! It will also work to unlock Windows devices.
Hardware Runner up: NitroKey
While the latest and most fully featured version – the Nitrokey 3- isn’t out just yet, it does boast all of the best features of the YubiKey in an open-source software package. This would give the Nitrokey an edge over the YubiKey for two main reasons: development possibilities and transparency.
If you’re tech-adventurous, imagine building your own locking mechanism that will open when you wave your key near it? While there are devleopment APIs (application programming interfaces) for the YubiKey, there’s nothing like full access to the code.
Also, for the exceptionally wary, YubiKey’s lack of access to the underlying code means that it is in the realm of possibility that there could be some security vulnerability that a.) has not been discovered and might have been with more people able to view the code, or b.) an intentional backdoor could’ve been placed into the code for the manufacturer that could be exploited.
Either way you slice it these are edge cases and if you are simply interested in getting highly secured accounts without the paranoia of a security expert or a technology enthusiast with the yearning to build your own devices, the YubiKey is still your best bet for hardware.
With so many options available it would be impossible to guide you through each type of setup for each device without this post becoming a gargantuan (and boring) series. It would suffice to say that the setup in most cases is very well guided on your first setup and also well documented elsewhere on the web. Just remember to document your backup codes or master passwords for these services and keep them somewhere safe, or recovering your own accounts could end up being nearly as difficult as trying to break into someone elses!
If you are interested in purchasing a YubiKey, grab one here:
NOTE: The above is an affiliate link. While you will not incur any additional charges, purchasing through this link will provide Ctrl Alt Develop with a small profit and allow us to keep providing top tier content for your consumption!
We hope you’ve learned a thing or two about the wide world of multifactor authentication. What did we leave out? Do you have any experiences with other hardware and software options that you prefer? Tell us why in the comments below!