The New Oil logo Dark Mode

Data Breach Defense: Multifactor Authentication

Another powerful thing a person can do to protect their online accounts is to use multi-factor authentication. According to Microsoft, this one technique can stop up to 99.9% of unauthorized account accesses.

Multifactor Authentication (also known as MFA, Two-Factor Authentication, or 2FA) is a system that requires additional steps beyond username and password to log in to a given account. The most common form of MFA is the SMS text: you log into a site, they text you a code, you enter the code on the next screen, and now you access your account. This is useful because with MFA, even if a hacker were to gain access to your login credentials, they would still need access to your physical device to complete the login process.

When picking an MFA solution, the most important thing is to look for something you will use consistently and won't interfere negatively with your life. If you need the ability to log into your account from any computer at any given time, a hardware key may not be your best bet.

Generally speaking you should try to avoid SMS 2FA whenever possible because it is relatively easy for a malicious actor or hacker to hijack your phone number in any number of ways therefore recieve the incoming 2FA text, defeating the purpose of 2FA and rendering the extra step useless. Use SMS if nothing else is available, but try to use something else if you have the option. The order of recommended 2FA methods from strongest to weakest are hardware keys, software apps, push notifications, SMS/Email. Software apps will be the sweet spot for most people.

Product/Service Pros Cons
Click here to see my criteria for selecting these services
Click here for a visual version of this chart
Listed in alphabetical order, not order of recommendation

Aegis Authenticator
  • Android Only

  • Android Only

Ravio OTP
  • Open source
  • Search function available to quickly and easily find desired OTP code
  • Requires a login for added security
  • Offers backups
  • iOS only
  • Login feature is mandatory

Getting Started

MFA can typically be enabled under the "Security" settings of your account, though it may sometimes be under a similar but different setting such as "Login" or "Account." It also sometimes goes by other names such as "two-step login" or "Authenticator App." Stop reading right now and go enable MFA on your important email account(s). Seriously, right this second. If I hack your email account that you use for banking, for medical communication, or for other critical things, I can lock you out and take over your life. All I have to do is hit that little button that says "forgot password" and have them email me a reset link. So you need to secure your important email accounts first and foremost.

My preferred strategy for implementing MFA on existing accounts is to start by enabling it on every critical account first - email, banking, work accounts, etc. Take the time right now to decide what accounts you absolutely cannot afford to lose access to and sit down and knock those out right now. For less critical accounts like your personal Twitter or game accounts, I recommend you enable it next time you use it. The idea of sitting down and knocking out hundreds of accounts at once is daunting, so instead I advocate an "as you go" strategy to avoid being overwhelmed. Before you know it, you'll have enabled it everywhere offered.

Honorable Mention: Hardware Tokens

For most people software apps will provide the best blend of security and usability. However, for those who require additional proteciton - or simply want to go the extra mile - many hardware keys exist that provide maximum protection at very little additional cost of user-friendliness. Some of the more common and recommended hardware keys include Yubikey, OnlyKey, and LibremKey. Less common but open source options include NitroKey and SoloKey. Each offers different features but all will provide roughly the same level of protection.

Hardware authentication keys are physical devices that plug into your computer and act as a hardware multifactor authentication option. They are great additional security, but aren't very durable and may not be a good choice for a laptop or a person who needs to be able to access things remotely. Likewise, these keys require you to put extra thought into your backups (ex "what if I lose this?") It is worth noting, though, that hardware keys are incredibly secure because they can't be remotely hijacked the way that other forms can.

Tips & Tricks

Most sites have an option during the second login screen to "remember this device for 30 days" or something similar. This will keep you logged in without requiring your MFA code for the indicated amount of time. I'm not opposed to this, but make sure that you're not enabling this on a public computer, family computers, or a computer that stays unlocked often. Only use this option on personal computers that you don't leave unattended.

When you sign up for MFA, most sites will issue you backup codes. Be sure to write these down somewhere safe in case you lose your MFA device, it will save a lot of time and headache. I recommend saving them in the notes section of your password manager.

Some password managers offer the ability to store your MFA key with a little extra work to make your login process easier and more centralized. This can be helpful if you're sharing accounts with someone (a family member, for example) or if you just want to rely on your phone less. However, be aware of the risk: by putting your password and two-factor code in the same place, you're creating a single point of failure. Make sure you're taking extra precautions if this is the path you decide to take.

Many websites will explicitly list "Google Authenticator" as a two-factor option, but don't let this fool you. Any software authenticator app listed on this page (and many others) will work just fine.

Some apps offer the ability to backup your two-factor database, sometimes even in the cloud. As someone who has lost their two-factor database before, I understand the appeal of this. But be aware of the risks. 1) Anything stored in the cloud has the risk of becoming exposed either through a data breach or a rogue employee if the service is not zero-knowledge. Do your research and make sure you've accepted this risk. 2) If the backup requires a password, be sure to use a strong password, or else it will be easily cracked as discussed in the "Understanding Data Breaches" section.

If using a hardware token, be sure to buy two copies and keep the second in a safe place as a backup in case the first one gets broken. Just as with regular backups, be sure to keep it regularly updated, too. It's not use to you if it's not configured with the sites you need to use it on when your primary device breaks.