Data Breach Defense: Multifactor Authentication

The single most powerful thing a person can do to protect their online accounts is to use multi-factor authentication. According to Microsoft, this one technique can stop up to 99.9% of unauthorized account accesses.

Multifactor Authentication (also known as MFA, Two-Factor Authentication, or 2FA) is a system that requires additional steps beyond username and password to log in to a given account. The most common form of MFA is the SMS text: you log into a site, they text you a code, you enter the code on the next screen, and now you access your account. This is useful because with MFA, even if a hacker were to gain access to your login credentials, they would still need access to your physical device to complete the login process.

When picking an MFA solution, the most important thing is to look for something you will use consistently and won't interfere negatively with your life. If you need the ability to log into your account from any computer at any given time, a hardware key may not be your best bet.

Hardware authentication keys, such as the Yubikey, Librem Key, and other similar devices, are physical devices that plug into your computer and act as a hardware multifactor authentication option. They are great additional security, but aren't very durable and may not be a good choice for a laptop or a person who needs to be able to access things remotely. Likewise, these keys require you to put extra thought into your backups (ex "what if I lose this?") It is worth noting, though, that hardware keys are incredibly secure. It's how companies like Google have managed to avoid major data breaches so well in the past, because they can't be remotely hijacked the way that other forms can.

Generally speaking you should try to avoid SMS 2FA whenever possible because it is relatively easy for a malicious actor or hacker to hijack your phone number in any number of ways therefore recieve the incoming 2FA text, defeating the purpose of 2FA and rendering the extra step useless. Use SMS if nothing else is available, but try to use something else if you have the option.

Product/Service Pros Cons

Aegis Authenticator
  • Android Only

andOTP
  • Android Only

Authenticator
  • Open source
  • Supports time-based and counter-based passwords
  • iOS Only

FreeOTP
  • Open source
  • Android and iOS
  • OTP codes are hidden until the user clicks on them, adding a small layer of additional security
  • Available on F-Droid
  • The program is sponsored and maintained by Red Hat, which was purchased by IBM. Some users may be put off by corporate involvement.

FreeOTP+
  • Android only
  • Not available on F-Droid

Tofu
  • Open source
  • Search function available to quickly and easily find desired OTP code
  • iOS only

Getting Started

MFA can typically be enabled under the "Security" settings of your account, though it may sometimes be under a similar but different setting such as "Login" or "Account." It also sometimes goes by other names such as "two-step login" or "Authenticator App." Stop reading right now and go enable MFA on your important email account(s). Seriously, right this second. If I hack your email account that you use for banking, for medical communication, or for other critical things, I can lock you out and take over your life. All I have to do is hit that little button that says "forgot password" and have them email me a reset link. So you need to secure your important email accounts first and foremost.

My preferred strategy for implementing MFA on existing accounts is to start by enabling it on every critical account first - email, banking, work accounts, etc. Take the time right now to decide what accounts you absolutely cannot afford to lose access to and sit down and knock those out right now. If the account doesn't offer MFA, I'll discuss that on the next page. For less critical accounts like your personal Twitter or game accounts, I recommend you enable it next time you use it. The idea of sitting down and knocking out hundreds of accounts at once is daunting, so instead I advocate an "as you go" strategy to avoid being overwhelmed. Before you know it, you'll have enabled it everywhere offered.

Tips & Tricks

Most sites have an option during the second login screen to "remember this device for 30 days" or something similar. This will keep you logged in without requiring your MFA code for the indicated amount of time. I'm not opposed to this, but make sure that you're not enabling on a public computer or a computer that stays on often. Only use this option on personal computers that you don't leave unattended.

When you sign up for MFA, most sites will issue you backup codes. Be sure to write these down somewhere safe in case you lose your MFA device, it will save a lot of time and headache. I recommend saving them in the notes section of your password manager.

Some password managers offer the ability to store your MFA key with a little extra work to make your login process easier and more centralized. This can be helpful if you're sharing accounts with someone (a family member, for example) or if you just want to rely on your phone less.

Many websites will explicitly list "Google Authenticator" as a two-factor option, but don't let this fool you. Any software authenticator app listed on this page (and many others) will work just fine.


Previous Next