Which Two-Factor Authentication Option Is the Best?
On the face of it, two-factor authentication (2FA) is a ruthlessly simple and incredibly effective security feature. In essence, by implementing two-factor authentication, you ensure that an attacker can't take over a victim's account using just a username and a password. There is an additional step during the authentication process without which access won't be granted. So far, so straightforward. This is where it starts to get more complicated, though.
Most 2FA systems rely on a second temporary password (often referred to as one-time password or OTP), which the user must enter in order to unlock their account. In other cases, logging in requires a hardware device or token that acts as proof that the user is authorized to access the account. There's a lot of debate around which is the better option – a hardware token or an OTP. The question of which is the best hardware token has been discussed as well, and the same goes for the different ways in which OTP-based 2FA systems can be implemented. In other words, for many, 2FA has raised more questions than it has answered.
The OTP discussion
An OTP is a pretty robust second factor, but it needs to be implemented correctly. If OTPs are to work, they need to be unique and random. If the hackers are able to figure out the algorithm behind the mechanism that creates OTPs, they can beat the entire 2FA system. They might also be able to work their way around it if they have enough time to guess the OTP. For the sake of usability, often, OTPs are 4- or 6-digit codes that can be guessed with relative ease. That's why it's important to ensure that they expire after a reasonable period of time. Of course, proper rate limits can also stop attackers from brute-forcing their way in.
It's fair to say that most developers and system administrators that have chosen OTP-based 2FA observe these rules, and attacks of this particular kind are not that common. When it comes to the delivery method for OTPs, however, things are completely different.
There are a number of different ways in which you can deliver an OTP to the user. You can do it via email, SMS, or an authenticator app on their smartphone. Quite a lot of people have been losing their cool over how insecure some of these mediums are. We've discussed in the past, for example, the technology behind text messages which is fairly old and can theoretically let hackers intercept OTPs and bypass 2FA. For a while now, emails have also been condemned as far too insecure to carry sensitive information like 2FA OTPs.
The fact of the matter is that the best way of ensuring that OTPs can't be intercepted during transmission is not to transmit them at all. This is why 2FA mobile applications like Google Authenticator are considered the best option for OTP-based two-factor authentication systems that don't require an additional hardware token. The problem with these apps, however, is that users who don't have a smartphone can't use them.
Are hardware tokens the solution?
The idea of 2FA apps derives from hardware tokens that also use complex cryptographical functions to create OTPs on the spot. Known as RSA SecurID, they're roughly the size of a key fob and have a small monochrome LCD display that shows the current OTP. You might view this as a solution, especially if some of your potential users don't have smartphones, but there is still one thing to consider. The inherent vulnerability with One-Time Passwords is that just like normal passwords, they can be phished.
This is why according to security experts, the most secure 2FA systems rely on U2F keys – hardware tokens that instead of generating and displaying OTPs, communicate directly with your computer or mobile device and automatically authenticate you. They're small enough to be carried around on a key ring, they don't have a battery, and the wireless technology some of them rely on means that authentication is often instantaneous. Because the user isn't required to enter an OTP, this is considered the best method in terms of both usability and security. It's still not perfect, though.
Unlike 2FA apps, emails, and, in most cases, text messages, U2F keys aren't free. The investment isn't enormous, but the sad fact of the matter is that most users aren't especially keen on paying for security, and even a reasonable price can be enough of a barrier for them. Obviously, the problem of losing the small tokens is also present.
How to pick the most appropriate 2FA implementation for your service?
All in all, there is no such thing as "the perfect 2FA." Some implementations are more secure than others, but they all have their own separate issues, which means that if you're running an online service, you must decide what sort of 2FA you're going to implement based on your users, their needs, and their threat models. For additional flexibility, most service providers let people pick which 2FA implementation they want to use from a list of several different options, and this is perhaps the most reasonable approach given how diverse the userbase can be.
Make sure you don't forget one thing, though – even the most insecure 2FA is better than no 2FA.