Multifactor Authentication

The single most powerful thing a person can do to protect their online accounts is to use multi-factor authentication. According to Microsoft, this one technique can stop up to 99.9% of unauthorized account accesses.

Multifactor Authentication (also known as MFA, Two-Factor Authentication, or 2FA) is a system that requires additional steps beyond username and password to log in to a given account. The most common form of MFA is the SMS text: you log into a site, they text you a code, you enter the code on the next screen, and now you access your account. This is useful because with MFA, even if a hacker were to gain access to your login credentials, they would still need access to your physical device to complete the login process. MFA can usually be enabled under the settings of your account, typically under the "Security" tab or a similar section. Unfortunately, not all sites offer MFA but many do.

When picking an MFA solution, the most important thing is to look for something you will use consistently and won't interfere negatively with your life. If you need the ability to log into your account from any computer at any given time, a hardware key may not be your best bet.

Hardware authentication keys, such as the Yubikey, Librem Key, and other similar devices, are physical devices that plug into your computer and act as a hardware multifactor authentication option. They are great additional security, but aren't very durable and may not be a good choice for a laptop or a person who needs to be able to access things remotely. Likewise, these keys require you to put extra thought into your backups (ex "what if I lose this?") It is worth noting, though, that hardware keys are incredibly secure. It's how companies like Google have managed to avoid major data breaches so well in the past, because they can't be remotely hijacked the way that other forms can.

Generally speaking you should try to avoid SMS 2FA whenever possible because it is relatively easy for a malicious actor or hacker to hijack your phone number in any number of ways therefore recieve the incoming 2FA text, defeating the purpose of 2FA and rendering the extra step useless. Use SMS if nothing else is available, but try to use something else if you have the option.

Product/Service Pros Cons

andOTP
  • Android Only

FreeOTP
  • Open source
  • Android and iOS
  • OTP codes are hidden until the user clicks on them, adding a small layer of additional security
  • The program is sponsored and maintained by Red Hat, which was purchased by IBM. Some users may be put off by corporate involvement.

Tofu
  • Open source
  • Search function available to quickly and easily find desired OTP code
  • iOS only

Previous Next