Data Breach Defense: Multifactor Authentication

What is Multifactor Authentication?

Multifactor authentication is when a service requries an extra step to authenticate you during login aside from simly username and password. This could take the form of a text message, a code generated by an app, a push notification, a hardware device, or even biometric authentication..

There are multiple factors of authentication, but this site addresses the two most common: something you know and something you have. Something you know is the username and password, while something you have is typically the six-digit code you have on your device or a hardware token (discussed further down). When only two forms of authentication are required, it is considered "two-factor" authentication (often abbreviated as 2FA). When more than two forms of authentication are required, it is "multi-factor" authentication, or MFA. Technically all 2FA is MFA, but not all MFA is 2FA.

Why do I Need Multifactor Authentication?

According to Microsoft, this one technique can stop up to 99.9% of unauthorized account accesses. With MFA enabled, even if an attacker gets your username and password they would still be unable to login without the token.

What Should I Look For in a Multifactor Authentication Solution?

When picking an MFA solution, be sure to pick something you will use consistently. For example, if you need the ability to log into your account from any computer at any given time, a hardware key may not be convenient for you. You should also avoid SMS 2FA whenever possible because it is relatively easy for an attacker to steal your phone number and recieve the incoming 2FA text. Use SMS if nothing else is available, but use something better if you have the option. The order of recommended 2FA methods from strongest to weakest are hardware keys, software apps, push notifications, SMS/Email. Software apps will be the sweet spot for most people.

Product/Service Pros Cons
Click here to see my criteria for selecting these services
Click here for a visual version of this chart
Listed in alphabetical order, not order of recommendation

Aegis Authenticator
  • Android Only
  • Vault encryption is not on by default, must enabled

andOTP
  • Available on F-Droid
  • Encryption is automatic
  • Android Only

Ravio OTP
  • Encryption is automatic
  • iOS only
  • Login feature is mandatory

Honorable Mention: Hardware Tokens

For most people software apps will provide the best blend of security and convenience. However, for those who require additional proteciton many hardware keys exist that provide maximum protection at very little additional cost and effort. Hardware tokens are physical devices that plug into your computer via USB. If an account is configured to use a hardware token, the device must be plugged in rather than entering a code. They are nearly perfect additional security because they can't be remotely hijacked the way that other keys can, but aren't very durable and may not be a good choice for a laptop or someone who travels a lot. Some of the more common and recommended hardware keys include OnlyKey and Yubikey. Less common but open source options include LibremKey, NitroKey and SoloKey.

Other Forms of Authentication

As mentioned above, there are many additional forms of authentication, including something you are (biometric identification like fingerprint or iris scans) and somewhere you are (a website that requires your IP address to match your area of residence or work, for example). Personally, I don't recommend using these when the option exists for various reasons. Factors like somewhere you are can be highly invasive and can thwart other privacy strategies I recommend, like the use of a VPN. Something you are is widely considered secure because the resources required to spoof a person's biometric identity are typically intense and reserved only for high-level threats. However it is worth noting that historically these kinds of things become less difficult over time and if your biometric information gets leaked then you can't change them the same way you can change a password or OTP key (software/hardware token). As I've said before, the most important thing is that you find a 2FA solution that you will use consistently, so if these are the only solutions that work for you then I would recommend them, however I would encourage you to stick to something you have whenever possible. (It's the most widely supported anyways.)

Getting Started

MFA can typically be enabled under the "Security" settings of your account, though it may sometimes be under a similar but different setting such as "Login" or "Account." It also sometimes goes by other names such as "two-step login" or "Authenticator App." Some websites will explicitly list Google Authenticator, but any two-factor app listed here will work. I suggest you stop what you're doing immediately and enable MFA for your most critical accounts. Bank, email, and other accounts you can't afford to live without. Do it right now before you do anything else.

For the rest of your accounts, I recommend enabling MFA "as you go." This means you enable on a per-account basis as you login or use it. For example, next time you log into eBay, enable MFA. Then, next time you log into Discord, enable MFA. In time every account will have a unique, strong password.

Tips & Tricks

Most sites have an option during the second login screen to "remember this device for 30 days" or something similar. This will keep you logged in without requiring your MFA code for the indicated amount of time. This can be convenient, but take care not to enable this on a public or shared computer, or a computer that stays unlocked often.

When you sign up for MFA, most sites will issue you backup codes. Be sure to write these down somewhere safe in case you lose your MFA device. I recommend saving them in the notes section of your password manager.

Some password managers offer the ability to store your MFA key to make your login process more convenient. This can be helpful, but be aware of the risk: by putting your password and two-factor code in the same place, you're creating a single point of failure. Make sure you're taking extra precautions if this is the path you decide to take.

If using a hardware token, I recommend buying two copies and keeping the second in a safe place as a backup in case the first one gets broken. Just as with other kinds of data backups, be sure to keep it regularly updated.

2FA Directory is a useful website to see if services you use or are considering using allow two-factor authentication and which kind.