{{Header}} {{Title|title= Two-factor Authentication (2FA) }} {{#seo: |description=How novice and advanced users can benefit from Two-factor Authentication (2FA). Avoiding inaccessible online accounts/logins. Time-based One-time Password (TOTP). "Google Authenticator." Universal Second Factor (U2F) security/physical keys. |image=2FA.jpg }} [[Image:2FA.jpg|thumb]] {{intro| How novice and advanced users can benefit from Two-factor Authentication (2FA). Avoiding inaccessible online accounts/logins. Time-based One-time Password (TOTP). "Google Authenticator." Universal Second Factor (U2F) security/physical keys. }} = Introduction = {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = You are your email address! If an email address is hacked, the attacker can potentially take over most of your digital identity. This can lead to impersonation on social media and forums, the depletion of banking/credit/shopping accounts, access to cloud storage services or password managers, and more. }} {{mbox | image = [[File:Ambox_notice.png|40px]] | text = 2FA is beneficial even for advanced users that have the capability to easily detect phishing attempts. The reason is email addresses used for (financial) service sign-up can be hacked due to factors outside of an individual's control, such as database leaks, malicious insiders and so on. In that case 2FA will still afford protection to accounts. }} == Definition == Even users who are knowledgeable about [[Social_Engineering|(spear) phishing]] can benefit from two-factor authentication (2FA). 2FA and similar terms are encompassed under the broader multi-factor authentication (MFA) definition: https://en.wikipedia.org/wiki/Multi-factor_authentication
Multi-factor authentication ... is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorised third party that may have been able to discover, for example, a single password.
2FA can be used to strengthen the security of online accounts, smartphones, web services, access to physical locations and other implementations. By requiring two (or more) separate and distinct forms of information/identification before secure access is granted to something, this minimizes the threat posed by malicious actors. 2FA relies upon a combination of two of the following: https://www.investopedia.com/terms/t/twofactor-authentication-2fa.asp * something you know -- like a password * something you have -- like a code sent to a smartphone or smartphone authenticator application * something you are -- such as biometric markers (fingerprints, face or retina scans) A familiar example of 2FA is the withdrawal of money from an Automatic Teller Machine (ATM). To withdraw cash it is necessary to present a valid credit or debit card (something you have), and to enter a Personal Identification Number (PIN; something you know) for a successful transaction. Although this increases overall security, this procedure is vulnerable to attacks such as [https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/skimming ATM skimming]. In this attack:
* ATM skimmer devices usually fit over the original card reader. * Some ATM skimmers are inserted in the card reader, placed in the terminal, or situated along exposed cables. * Pinhole cameras installed on ATMs record a customer entering their PIN. Pinhole camera placement varies widely. * In some cases, keypad overlays are used instead of pinhole cameras to records PINs. Keypad overlays record a customer’s keystrokes. * Skimming devices store data to be downloaded or wirelessly transferred later.
https://pixelprivacy.com/resources/two-factor-authentication/ 2FA is not foolproof because hackers can potentially access these authentication factors via malware, account recovery procedures, phishing attacks, [https://en.wikipedia.org/wiki/Man-in-the-browser browser vulnerabilities] and [[Warning#Man-in-the-middle_Attacks|Man-in-the-middle Attacks]]. It is also possible to intercept text messages that are sent as part of a 2FA procedure. This is why MFA is more secure than 2FA -- more than two factors are required before account access is granted. == Digital Identity == Consider what would happen if: * you immediately lost access to your email address * a malicious third party had exclusive access to your email address while you did not These hypothetical scenarios reinforce that a digital identity is centered around the inviolability (security) of personal email addresses. For many purposes, it's a trust anchor. Malicious actors who control your email address also have major control over most of your digital life. As noted in the [[Basic_Security_Guide_Introduction#Hacked_Email_Account|Essential Security Guide Introduction]] chapter:
Just one breach of an online email service permits the theft of valuable personal data, account/contact harvesting, re-sale of retail accounts, spam and much more. An email account is a particularly weak link, since once under the attacker's control they can reset the password, along with the passwords of many linked services and accounts.
Feasible consequences of an email breach include: https://www.rd.com/list/what-hackers-can-do-with-email-address/ https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/ * Employment: forwarding of work documents and work email; access to Fedex, UPS, Salesforce or related accounts; employer/colleague details; a hack of the victim's employer; and sending a termination letter to an employer, employees, landlord, mobile carrier, banks etc. * Financial: access to bank accounts; reset of accounts for malicious transactions; financial accounts/loans made in the victim's name; email account ransom; personal credit score harm; changed billing arrangements; cyberheist lures; and blackmail/extortion opportunities against the owner of the hacked account. * Harvesting: all email and chat contacts; access to file hosting accounts; Google Docs, MS Drive, Dropbox and other accounts; software license keys; social security number and other information for identity theft; and password recovery requests to all social media and other accounts. Password recovery may not even be necessary because many Internet users tend to use the same passwords for multiple accounts. * Privacy: access to personal name and history; personal messages, calendar, photos, Google/Skype chats; call records (plus mobile account); your location (plus mobile/i-Tunes); names of friends and family members; the threat of real-world stalking; and potentially political views, travel and favorite places. * Spam: commercial email; phishing; malware proliferation; stranded abroad, email signature and Facebook/Twitter scams; and other malicious emails/messages requesting funds/cryptocurrency transfers to help "solve" non-existent scenarios. * Reputation: reputational harm due to uploading of indecent communications, photos, videos to social media/other websites; sending of inappropriate e-mails; and catfishing romantic partners. A catfish is someone masquerading as somebody else to create false identities, often to pursue deceptive online romances. * Retail Resale: Facebook, Twitter, Tumbler, Macys, Amazon, Walmart, i-Tunes, Skype, Bestbuy, Spotify, Hulu+, Netflix, Origin, Steam, Crossfire and other accounts. The multiple, serious consequences of an email breach emphasize the importance of properly configuring 2FA for both accounts and password managers to minimize the potential damage. It is also recommended to: * use strong and unique [[Passwords#Generating_Unbreakable_Passwords|passwords]] for all accounts * avoid the use of email accounts as a login for other accounts * limit information shared over email * avoid typing your email password on public WiFi networks = Common Misconceptions = '''Table:''' ''Common 2FA Misconceptions'' https://www.wired.com/insights/2013/04/five-myths-of-two-factor-authentication-and-the-reality/ https://web.archive.org/web/20201108134652/https://thecybersecurityplace.com/6-myths-about-two-factor-authentication/ https://www.stuff.co.nz/business/opinion-analysis/300221352/3-common-misconceptions-about-twofactor-authentication https://www.yubico.com/blog/internet-security-myth-busters-debunking-3-common-misconceptions-about-two-factor-authentication/ See also: [https://www.wwpass.com/pdf/docs/2FAsCostlyMisnomersAndMisconceptions.pdf 2FA’s costly misnomers and misconceptions]. https://kripeshadwani.com/best-2fa-apps/ {| class="wikitable" |- ! scope="col"| '''Misconception''' ! scope="col"| '''Description''' |- ! scope="row"| 2FA requires Google | Google authenticator is the most popular 2FA implementation, but not the only one -- Google software is not necessary to take advantage of 2FA. Many services link to and recommend Google authenticator, but any Time-based One-time Password (TOTP) implementation will work, see: [[#Software Choices|Software Choices]]. |- ! scope="row"| 2FA is a quick fix to protect against future breaches | Sites cannot simply "turn on" 2FA; deployment requires tokens to be issued or cryptographic keys embedded in other devices. If 2FA is deployed, many users will not have the means to log in, or if it is voluntary, some will not bother enabling this security feature. |- ! scope="row"| 2FA is invulnerable to most threats | 2FA does improve security but it is imperfect. For example: * 2FA technologies may prompt users to approve various transactions; inattentive users might approve an attacker's transactions without realizing. * Third-party authentication tokens rely upon the security of the issuer (who can be breached). * 2FA relying on text messaging (SMS) depends upon the security of the mobile provider; malware on a phone can intercept SMS messages and send them to an attacker. * Malware can still steal session tokens when 2FA is enabled, though depending on the service, attackers may not be able to achieve as much with session tokens when 2FA is enabled because sensitive actions will require reauthentication. |- ! scope="row"| 2FA always requires the use of a second device | Single device 2FA is possible, for example keying information with a smartphone application that prompts the user for something they know. This means a second device is not needed to receive one-time passwords. |- ! scope="row"| Most 2FA solutions are similar | This is incorrect. 2FA solutions can rely on hardware tokens that produce one-time passwords, emails, SMS messages, mobile applications with cryptographic secrets (like Google Authenticator, Defender Soft Token etc.), keying information stored in a user's browser, physical security keys (like a Nitrokey) and so on. |- ! scope="row"| 2FA is unnecessary; strong and unique passwords are sufficient | As noted in the introduction, this is demonstrably false. For example, phishing attacks, [https://en.wikipedia.org/wiki/Man-in-the-browser browser vulnerabilities] and [[Warning#Man-in-the-middle_Attacks|Man-in-the-middle Attacks]] can lead to the recovery of passwords. 2FA is recommended for all accounts -- even your password manager -- for an extra layer of security. This way hackers need to overcome two barriers instead of one to access an account. |- ! scope="row"| All 2FA is equally strong | This is incorrect. For example, SMS and mobile authenticator applications are vulnerable to SIM swapping, mobile malware, phishing scams, and [[Warning#Man-in-the-middle_Attacks|Man-in-the-middle Attacks]]. On the other hand, Google researchers found that no users relying exclusively on physical security keys were victims of targeted phishing campaigns (since physical key access is required to log in). https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html Device-based challenges like SMS codes, security keys and on-device prompts were generally more effective against automated bots, bulk phishing attacks, and targeted phishing attacks. Less useful were knowledge-based challenges like a secondary email address, phone number, or last sign-in location. |- ! scope="row"| 2FA is complicated and time-consuming | The right 2FA solution for a user's security needs can be simple to use, and does not always involve using one-time passwords. For example, a physical security key may only require one touch or tap of the key to log in. |- ! scope="row"| 2FA requires an Internet connection | This is incorrect. For example the TOTP authentication mechanism does not require an Internet connection. |- ! scope="row"| TOTP and HMAC-based One-Time Passwords (HOTP) are identical | TOTP and HOTP are distinct: * TOTP codes are time-limited and generally remain active for 30 to 60 seconds. They become invalid if not used within that timeframe. Examples are Authy, Google Authenticator and others. * HOTP codes are event-based; codes remain active until a new code is requested. One example is the Nitrokey implementation. |- |} = 2FA Configuration and Options = Before configuring 2FA for online accounts, it is worth considering the most common methods in use by websites, the relative strengths and weaknesses of each implementation, and various configuration options. Depending on the website, more than one 2FA method may be available. 2FA may also be referred to as "login verification" (Twitter), "login approvals" (Facebook), "SafePass" (Bank of America), "2-step verification" (Google and others). Most popular websites provide 2FA -- the Electronic Frontier Foundation (EFF) provides detailed guides for the following services: https://www.eff.org/deeplinks/2016/12/12-days-2fa-how-enable-two-factor-authentication-your-online-accounts
* [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-amazon Amazon] * [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-bank-america Bank of America] * [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-dropbox Dropbox] * [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-facebook Facebook] * [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-gmail-and-google Gmail and Google] * [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-linkedin LinkedIn] * [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-outlookcom-and-microsoft Outlook.com and Microsoft] * [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-paypal PayPal] * [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-slack Slack] * [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-twitter Twitter] * [https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-authentication-yahoo-mail Yahoo Mail]
For a comprehensive list of services and websites that support 2FA, utilize [https://2fa.directory/int/ 2FA Directory]. == Implementations == 2FA implementations can take several forms, including: * a one-time verification code sent via SMS * a TOTP generated by dedicated applications like [https://safety.google/authentication/ Google Authenticator], [https://authy.com/ Authy] and [https://freeotp.github.io/ FreeOTP] * downloadable, printable, hardcopy backup codes * hardware tokens such as a [https://www.nitrokey.com/ Nitrokey] As outlined in the introduction, all these methods are verifying something you have (a smartphone, printed out codes, a piece of hardware) with something you know (your password). Each method has strengths and weakness as outlined in the table below. In general, while SMS verification is the most common 2FA method, it is not recommended because SMS messages can be intercepted in transit by malicious actors. Conversely, hardware tokens like Nitrokey are the most secure method, but are not widely supported and could be lost. Authenticator applications are a ''reasonably'' secure middle ground, so long as you possess a smartphone. '''Table:''' ''2FA Implementation Pros and Cons'' https://www.accessnow.org/cms/assets/uploads/2017/09/Choose-the-Best-MFA-for-you.png https://www.eff.org/deeplinks/2017/09/guide-common-types-two-factor-authentication-web https://brainstation.io/cybersecurity/two-factor-auth {| class="wikitable" |- ! scope="col"| '''2FA Implementation''' ! scope="col"| '''Pros and Cons''' |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | FIDO U2F / physical keys (recommended) Universal Second Factor (U2F) uses small USB, NFC or Bluetooth devices aka "security keys". | Pros: * Both the physical key and password are required for logins -- accounts have strong protection against phishing attacks. * Easy to use once set up -- after the device is registered with a website, subsequent logins only require the device to be connected and tapped. * No codes need to be entered. * A U2F device does not respond to sites it has not been registered to. * The same device can be used on multiple sites, with a different identity; there is no single unique device identity for tracking. * Research shows physical keys provide the strongest defense against automated bots, bulk phishing and targeted phishing -- it is virtually "phishing-proof". * Most sites supporting U2F also support TOTP and backup codes. Cons: * A physical key must be purchased. Although they are relatively cheap and prices start from around 10-20 dollars. * The key must be carried at all times. * Devices without a USB port may prevent logins. * Browser support can be limited -- the W3C is working on standardizing the U2F protocol. * Only a handful of U2F devices work with smartphones over [https://techterms.com/definition/nfc Near Field Communication (NFC)] and Bluetooth. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Authenticator application / TOTP 2FA (recommended) These are third party applications for smartphones that generate a new one-time password every 60 seconds. The implementation is part of the Open Authentication (OATH) architecture. | Pros: * Easy to use and set up -- sites show [https://techterms.com/definition/qr_code QR codes] containing the secret key that can be scanned into the application. "Quick response" (QR) codes are a barcode with a matrix of dots. QR scanners or smartphone cameras can scan the barcode, and device software converts the dots into numbers or a string of characters. This can then be used for various activities, like opening a URL in a web browser. * Codes can be scanned into multiple smartphones. * Codes can be saved in a safe place or printed out as a backup. * It is possible to use even without Internet access. * Attackers who perform phone redirections cannot access 2FA codes. Cons: * A smartphone is required. * Account access can be lost if the phone dies or is stolen (unless a backup was saved/printed out). * This is inconvenient if logging into multiple, different computers. Since it requires unlocking the phone, opening the application, and typing the code in each time. * This implementation is vulnerable to smartphone malware. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Push-based 2FA (recommended) Such as Duo Push and Apple's Trusted Devices implementation. | Pros: * Prompts are sent to devices during a login -- it is easy to approve or deny the request and identify the estimated location for the login attempt. * IP addresses for originating logins provides stronger phishing protection. * It is more convenient to acknowledge a prompt, rather than type in a code. Cons: * This implementation is not standardized -- it is not possible to choose from alternative authenticator applications. * All push-based credentials cannot be consolidated into a single application. * A working data connection is required on the phone. In comparison, authenticator applications do not require a working connection. * This implementation is vulnerable to smartphone malware. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | SMS-based text messages and voice-based 2FA (unrecommended) Account logins require both a password and the text message/automated phone call code to sign in. | Pros: * It is easy to set up. * It can be used with a "non-smart" phone. Cons: * Additional information (a phone number) is provided to a website/platform -- this makes anonymous use difficult and risks future potential breaches. * Some websites use phone numbers for targeted advertising, conversion tracking and password resets. Attackers who take over phone numbers are able to access accounts without knowing the password. * Text messages are insecure: interception, redirection or forwarding of codes to other devices is possible. SIM cards can also be copied, or attackers can potentially trick phone companies into assigning a phone number to a different SIM card (so they can receive 2FA codes). The SS7 telephony protocol has flaws that also allow this attack. * Voice calls can be intercepted. * Extra costs may be incurred by connecting to telephone networks to receive messages. * Logins are impossible if the phone is not charged or a mobile network is unavailable. For instance, this is a problem for international travelers. * If the phone is lost, account recovery can be difficult or impossible. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Biometric IDs (unrecommended) | Pros: * Your own body is used as a physical token, such as your face, retina, fingerprint or voice (always available). For example, iPhones have facial scanning technology and most modern phones allow for fingerprint scans for easy and quick access. Cons: * Biometric IDs cannot ever be changed if compromised. * Physical equipment like scanners and cameras are required. * Volunteering of biometric data is a privacy intrusion and risk. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Email-based 2FA (unrecommended) | Pros: * This is convenient because an automated message with a code/link is sent to a registered email address when there is a login attempt. * This method is easy to implement, intuitive, and works with computers and phones. Cons: * An Internet connection is required. * This method is insecure: ** Many people use identical passwords across accounts/devices. ** Email accounts are vulnerable to [https://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks]. * Emails can end up in junk or spam folders. * Hackers often have passwords for both online accounts and email passwords. |- |} == Backups == Users tend to not backup 2FA backup codes since (popular) services do not enforce this procedure. Like bitcoin wallets enforce retyping the wallet mnemonic seed. After configuring 2FA, it is strongly recommended to plan for the worst case scenario and have multiple 2FA backup codes. Otherwise account access will be lost if a smartphone is lost/stolen, or if a single copy of 2FA backup codes is misplaced. Recommendations: https://www.howtogeek.com/358723/psa-make-sure-you-have-a-backup-for-two-factor-authentication/ https://www.guidingtech.com/backup-2fa-codes/ https://www.protectimus.com/blog/google-authenticator-backup/ * Always set up at least two devices which can generate 2FA one-time passwords. ** For example, open the 2FA page of the relevant website. Next scan the QR code with the authenticator application on the first phone, then scan the same code with the authenticator application on the second phone. * Always backup, print or write down 2FA backup codes in two different places -- these cannot be hacked or compromised without somebody breaking into your home. For instance, the Google Authenticator application has a "Back up codes" option for this purpose. * Additional copies of 2FA backup codes can be stored in other locations: ** In an encrypted file on your computer (including snapshots of QR codes). ** In cloud storage if the option is available. For example, the LastPass password manager and [https://authy.com/features/backup/ Authy] websites offer this service. This is less secure but more convenient -- if a smartphone is lost all codes can be easily restored without re-scanning all the sites again. * If services do not provide 2FA code backup options (like Apple), one workaround is to add a second, trusted phone number for the accounts, such as a spouse's phone, work phone etc. Note: a common misconception is Google 2FA backup login codes cannot restore 2FA for services other than Google. This is incorrect, these codes allow logins into a Google account after having lost access to the 2FA device. == Authenticator Software Choices == Various factors should be considered before choosing an authenticator application, including: https://kripeshadwani.com/best-2fa-apps/
* Price: prefer those which are free Since 2FA is a relatively simple process, it is unnecessary to pay for a product. * Offline access: better applications do not require an Internet connection to generate codes This is useful when signing into an account and there is no Internet access for your mobile. * Open source: prefer open source code authenticators This assists researchers and developers to find bugs/issues in the code. * Password protection: since authenticator applications protect security, preferably it can be locked with a PIN, passcode or similar * Biometric lock: depending on your circumstances this might be suitable - it is then unnecessary to remember a password * Backup/restore functions: good software should allow for secure backups of security codes and easy restoration * Autofill and autologin: for convenience, some applications can automatically enter TOTP codes and log in to accounts * Import entries: some authenticators allow the importing of previous entries in another product * Export entries: this is useful if switching to another authenticator * User interface: this should be simple for setup, use and access * Other security options: the ability to change TOTP intervals and code length is useful * Desktop application: some software has this option - a mobile phone is not necessary for codes * Multi-device sync: syncing to laptops, mobiles, PCs etc. is a useful functionality * Password manager: some authenticators allow login credentials to also be stored for convenience
While all of these features are useful, the strongest preference should be given to free and open source products. Therefore, while Google Authenticator is the most popular product on the market, it is non-freedom software and does not have a backup function; it is unrecommended for these reasons. [[keepassxc|KeePassXC]] can be considered as a replacement for Google Authenticator on desktop computers such as Windows, Qubes OS (recommended), Linux (recommended) or macOS. It is also functional in an offline virtual machine (VM). Other possible options are outlined in the table below, although this is not a complete list; proper research should be conducted beforehand. '''Table:''' ''Authenticator Products Comparison'' https://www.cloudwards.net/best-2fa-apps/ https://kripeshadwani.com/best-2fa-apps/ {| class="wikitable" |- ! scope="col"| '''Software''' ! scope="col"| '''Pros''' ! scope="col"| '''Cons''' |- ! scope="row"| [https://authy.com/ Authy] | * free * includes encrypted backups * supports crypto-wallets * easy to use / simple interface * syncs across multiple devices * can be used on mobile and desktop * works without an Internet connection * supports multiple services and password managers * PIN or fingerprint locks are also available | * not open source |- ! scope="row"| [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en&gl=US Google Authenticator] | * free * works with most services * simple import / export functions * easy to use * works without an Internet connection * feature for checking recent account activity * available on iOS, Android and Blackberry | * not open source * no syncing between devices * no backup feature * no PIN / password lock feature * lacks various other features |- ! scope="row"| [https://www.lastpass.com/solutions/authentication LastPass] | * free * encrypted backup support * push notification verification * supports TOTP and push-based notifications for various services * supports backups | * not open source * missing some application features |- ! scope="row"| [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile&hl=en_IN&gl=US Duo Mobile] | * security checkup feature * supports numerous third-party resources Like Facebook, Instagram, Dropbox, 1Password, Amazon etc. * encrypted backups * push notifications | * not open source * no offline feature is available * limited utility user interface * security keys cannot be manually entered |- ! scope="row"| [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis&hl=en_IN&gl=US Aegis] | * free * open source * no Internet connection required * security features including PIN, password and fingerprint lock * tap to reveal function This allows the selection of a time interval (between 5-60 seconds) after which the TOTPs are hidden again. * supports HOTP and TOTP methods * allows imports from other popular authenticator applications * a simple, easy-to-use interface * auto-backup and export options * possible to alter the code length and time | * no sync features are available |- ! scope="row"| [https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en_IN&gl=US FreeOTP] | * free * open source * simple user interface * supports TOTP and HOTP * possible to select the length of the TOTP code and how long it remains active | * no security features like PIN, passcode etc. to unlock secure codes * outdated application - no updates since 2016 * backups, multi-device sync and other simple functions are unavailable |- ! scope="row"| [https://www.microsoft.com/en-us/account/authenticator Microsoft Authenticator] | * free * available for Android, iOS and Windows 10 mobiles * available as a desktop application * supports passwordless authentication with Microsoft applications * has an in-built password manager * supports certificate-based authentication * supports cloud backups / other backup and restore options * has a PIN / biometric lock feature * supports every TOTP service * sends security notifications if your account is signed in from a new location / device, or if the password is changed * possible to review recent account activity * multi-device sync feature | * not open source * no direct export option * some features require Internet access |- |} == Other Factors == As noted in the previous section comparing common authenticator software, TOTP is the most commonly supported protocol; only a handful of free and open source alternatives support HOTP as well. As a reminder, prefer free and open source applications, even though Google dominates the market. Many make the mistake of using Google Authenticator and the TOTP term interchangeably. With respect to U2F hardware options that authenticate by using unique hardware tokens, [https://www.nitrokey.com/ Nitrokey] is considered the best option. Nitrokey supports HOTP, TOTP and U2F. It also supports multiple connection options (USB-C, USB-A and Lightning) and can be used with most online services. It is virtually phishing-proof because the tokens are directly bound to the destination website/service. https://www.cloudwards.net/best-2fa-apps/ Other options like [https://www.kensington.com Kensington VeriMark USB] and [https://store.google.com/product/titan_security_key Google Titan Security Key] are unrecommended because they rely upon Windows devices and have limited functionality compared to Nitrokey, such as only supporting U2F and not other protocols; far fewer services support U2F compared to TOTP. For reasons of practicality, most users will prefer to utilize software authenticators relying upon TOTP when accessing real-life, non-anonymous accounts. For instance, bank accounts can be better secured via TOTP generation on multiple, non-anonymous devices such as Android and iPhone devices. Further reading: * [[YubiKey]] * [https://en.wikipedia.org/wiki/WYSIWYS '''''W'''hat '''Y'''ou '''S'''ee '''I'''s '''W'''hat '''Y'''ou '''S'''ign'' (WYSIWYS)]. = Warnings = == Threat Model == '''Table:''' ''2FA Threat Model'' {| class="wikitable" |- ! scope="col"| '''2FA Protection Level''' ! scope="col"| '''Description''' |- ! scope="row"| Full protection | 2FA is effective when: * A user email address is compromised due to either the email provider being hacked or a rogue employee. In this case the attacker could potentially impersonate the user, or use the password recovery option of external services such as other email services, financial services, (social media) accounts, and so on. However, the attacker would not have the necessary 2FA one-time passwords. * Users fail victim to [[Social_Engineering|(spear) phishing]], for example when a login password (and maybe even the 2FA code) is sent by email to an attacker. By the time the attacker receives the message, the 2FA code will be either missing (if not sent by the user) or if lucky, may have already expired. * Account logins are only protected by weak passwords, because 2FA acts to make login security stronger. * [https://en.wikipedia.org/wiki/Shoulder_surfing_%28computer_security%29 Shoulder surfing] leads to disclosure of the password; the password in isolation does not allow logins. |- ! scope="row"| Partial protection | 2FA ''might'' work when: * Password databases of third party services -- such as banks and cryptocurrency exchanges -- are compromised (because the 2FA database is not compromised by the attacker). In these cases there is still a probability of losing funds, but the risk is lower. * An email provider is compromised -- such as a server compromise by an attacker or a rogue employee -- leads to unauthorized access to an email address, which is often enough to reset passwords. Depending on the third party service policies, changing 2FA credentials might not be easy. In these cases, an account compromise of the third party service might be preventable. |- ! scope="row"| Ineffective protection | 2FA is ineffective if: * The user's device is already infected by [[Malware and Firmware Trojans|malware]]. In that case a trojan horse can simply take over the login session without the user's knowledge. * Users are tricked into giving up OTP tokens via an [https://krebsonsecurity.com/2021/09/the-rise-of-one-time-password-interception-bots/ OTP Interception Service]
OTP Agency customers would enter a target’s phone number and name, and then the service would initiate an automated phone call that alerts that person about unauthorized activity on their account. The call would prompt the target to enter an OTP token generated by their phone’s mobile app (“for authentication purposes”), and that code would then get relayed back to the bad guy customers’ panel at the OTP Agency website.
or [https://www.schneier.com/blog/archives/2005/03/the_failure_of.html MITM] https://citizenlab.ca/2015/08/iran_two_factor_phishing/. |- |} == Security Issues == In general, 2FA increases the difficulty of being hacked and it is considered the best practice for keeping accounts and systems secure. Users with higher security needs can employ MFA -- three or more levels of authentication -- to further decrease the chances of a successful attack. As noted in the [[#Implementations|Implementations]] section, it is safest to rely on FIDO U2F / physical keys or if that is unavailable, authenticator applications / TOTP 2FA or push-based 2FA. All other methods are unrecommended. It is worth reiterating that SMS-based 2FA should be avoided due to the risk of [[Mobile_Phone_Security#SIM_Swapping_Attack|SIM Swap Scams]] and [https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber malicious SMS re-routing] as mentioned on the [[Mobile Phone Security]] wiki page. Although SMS and automated phone calls with one-time codes remain a popular 2FA method, there are many examples where hackers tricked mobile phone carriers into transferring somebody else's phone to their own; they then have access to authentication for that phone number. Another related risk is the rise of automated bots that call users and request MFA codes or one-time passwords to "prevent fraud" on various accounts. [https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo The Booming Underground Market for Bots That Steal Your 2FA Codes]:
But this call was actually from a hacker. The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers. Various bots target Apple Pay, PayPal, Amazon, Coinbase, and a wide range of specific banks. Whereas fooling victims into handing over a login or verification code previously would often involve the hacker directly conversely with the victim, perhaps pretending to be the victim’s bank in a phone call, these increasingly traded bots dramatically lower the barrier of entry for bypassing multi-factor authentication.
For example, in 2019 the Twitter CEO had his account hacked while using a 2FA method. Around the same time, over 23 million YouTube users utilizing 2FA were hacked because a reverse proxy toolkit was built to intercept 2FA SMS codes. Similarly, the Binance cryptocurrency exchange had their 2FA system compromised and lost tens of millions in the process. These hacks reinforce the risk of SIM-swaps for 2FA; hackers use various methods to change a victim's phone number so that subsequent messages or phone calls are redirected to a new phone. All in all, SMS and phone call-based 2FA systems have too many weaknesses to warrant its recommendation. Historically, other 2FA breaches have resulted from malware compromises. For example in 2020 an authenticator application in Android was discovered to be malware, stealing 2FA codes in the process. TrickBot malware is another example where one-time codes utilized by banking applications (sent via SMS/push notifications) have been intercepted. Finally, social engineering situations can emerge whereby hackers contact targets and pose as the bank or other service, requesting the security code that was just sent to "confirm their identity." == Anonymity Issues == Users risk possible de-anonymization if using the following applications on a non-torified device: * [https://authy.com/ Authy] requires an Internet connection. * [https://vip.symantec.com/ Symantec VIP] requires an Internet connection. * [https://safety.google/authentication/ Google Authenticator] did not use the Internet at the time of writing, but this might change with an (automatic) update. If anonymity is required, it is strongly recommended to only run 2FA software in non-networked or torified machines. = Practical 2FA Example = {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = A 2FA setup for Discourse and KeePassXC (an open-source password manager) is shown in the following example. 2FA implementations are possible for a wide range of other web services, SSH logins and more. }} {{Box|text= '''1.''' Navigate to Discourse preferences. [[File:2FA-discourse-prefernces.png|400px]] '''2.''' Click on SecurityManage Two-Factor Authentication [[File:2FA-discourse-security.png|400px]] '''3.''' Enter your passwordClick Continue [[File:2FA-discourse-enterpassword.png|400px]] '''4.''' Click on Add Authenticator [[File:2FA-discourse-addauth.png|400px]] '''5.''' Select Enter manuallyTake a copy of the QR code [[File:2FA-discourse-showcode.png|400px]] '''6.''' Open KeePassXCRight-click on the Discourse accountSelect Time-based one-time passwordSet up TOTP... [[File:2FA-keepassxc.png|400px]] '''7.''' Add the QR code in the empty Key fieldClick OK [[File:2FA-keepassxc-addkey.png|400px]] '''8.''' Select Copy TOTP; new keys are regenerated every 30 seconds. [[File:2FA-keepassxc-copykey.png|400px]] '''9.''' Add your username to My AuthenticatorAdd the generated TOTP to CodeClick Enable [[File:2FA-discourse-addkey.png|400px]] }} Readers are welcome to add further practical examples of 2FA to this section. = Debian Packages = * [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-barada libpam-barada]: Pluggable authentication module (PAM) to provide two-factor authentication based on HMAC-Based One-time Password (HOTP). * [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-google-authenticator libpam-google-authenticator]: The Google Authenticator project has implementations of one-time passcode generators for several mobile platforms, as well as a PAM. This supports both the HOTP and TOTP algorithms. * [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-blue libpam-blue]: PAM module for local authentication with bluetooth devices. * [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-oath libpam-oath]: Open AuTHentication (OATH) Toolkit libpam_oath PAM module. The OATH Toolkit has shared libraries, command line tools and a PAM module to enable easy building of one-time password authentication systems. * [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-otpw libpam-otpw]: OTPW for PAM authentication. OTPW is a one-time password system which protects against the password list being stolen and last digit attacks. * [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-p11 libpam-p11]: A PAM module for using PKCS#11 smart cards. * [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-poldi libpam-poldi]: A PAM module allowing authentication using a OpenPGP smartcard. This PAM module allows logins, screenlock and service validation using a GnuPG smartcard. * [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-fprintd libpam-fprintd]: A PAM module for fingerprint authentication through fprintd. See also: * [https://wiki.debian.org/SecurityManagement/fingerprint%20authentication Debian wiki: Fingerprint authentication] * YubiKey: ** [https://www.qubes-os.org/doc/yubikey/ Qubes wiki: YubiKey] ** The [https://github.com/QubesOS/qubes-app-yubikey Qubes' YubiKey package] for configuring YubiKey login support could be ported to Debian. = See Also = * [[Phone_Number_Validation|Phone Number Validation vs User Privacy]] * [[Mobile Phone Security]] = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]