Privacy Canada is community-supported. We may earn a commission when make a purchase through one of our links. Learn more.

Two-Factor Authentication: Ultimate Guide (2020)


Ludovic Rembert — Last Updated on September 27, 2020

Authentication ImageIt’s really hard to understate how important account security is nowadays, and even with a good password manager, you can’t go wrong with adding another layer of security.

To that effect, 2FA is probably one of the quickest and simplest ways to increase your security with a minimal amount of effort.

Not only that, but you can be as involved as you want to be, all the way from SMS 2FA to keyfob U2F. Regardless of which you go for, 2FA is now becoming commonplace, and being up to date with what it is, how it works and other details is going to be important.

Already some websites and institutions, such as banks, are requiring 2FA as part of having an account. Don’t let yourself be left out in the cold, and inform yourself of the choices you have.

So let’s begin with the most important question . . .

What is Two-Factor Authentication (2FA)

At its core, two-factor authentication relies on the concept of authenticating who you are in multiple ways, also called multi-factor authentication (MFA). Two-factor authentication, or 2FA, only uses two different ways of authentication, usually your login credentials plus a code that is sent to you in a variety of ways.

The idea being here that only you have access to at least one of these, and therefore can make sure nobody else is logging in.

Actually, you probably deal with MFA regularly if you use a credit or debit card. Having the card itself, with the internal chip, is one form of authentication, then you have the PIN that you need to enter to actually access your details.

You also probably get a report of some sort if you withdraw money from the account, although that’s not a form of MFA, it does help you make sure everything that happens on your account is legitimate.

Why Should I Use 2FA?

Two step authentication illustrationIn short, it adds an extra layer of security to your accounts that you absolutely need. That being said, we don’t necessarily suggest you add 2FA to every single one of your accounts, even if it’s available.

Instead you might want to focus on the really important accounts that you have, such as your bank accounts, emails, and maybe your social media.

Anything where a breach could have a massive impact on your life should have 2FA.

We can’t stress enough the importance of using 2FA with your email, since that’s usually where any reset code for passwords go, and is the linchpin to your privacy and security.

Not only that, but we’d probably suggest you switch to a secure email for resetting passwords, along with the 2FA. This may sound alarmist but we assure you that a breach of your email is a massive problem.

If you’re wondering if a specific site supports 2FA, there’s actually a handy website which tracks all that called twofactorauth you can checkout.

How Does 2FA Work?

2FA works very simply, in that it requires you to input some form of code that is provided to you. This is usually referred to as a ‘Timed-One-Time-Password’ or TOTP, and is essentially a token that is sent to you as the user to input when you log in.

This is known as a software token, and there are hardware tokens that come in the form of keyfobs, more on that later.

Before being sent the TOTP though, you generally have to tie the account you want 2FA on with an authenticator. In this case we are using a software one, and can be anything from Google Authenticator to Authy, but more on that in a bit.

Once you have your authenticator, you tie it with your account, usually using a QR code, which creates a specific secret key that the authenticator uses.

From then on any time you log in a request is sent to your authenticator app using that secret key. That secret key is then verified by your authenticator, before using an encrypted hash function to generate a code, usually a 6-character alphanumeric one.

Once you input that code into the site you are logging in, that site compares the code you filled in, and the one sent to it by the authenticator app, and makes sure they’re the same. If both codes are the same and everything checks out, you get logged in!

What are the Different ‘Types’ of 2FA?

There are actually several ways that you can authenticate through 2FA, aside from an authenticator app, although we’ll cover that too.

SMS 2FA

Types of authenticationThe simplest and most popular method of 2FA, SMS is incredibly easy to implement for most sites and actually works really well for most use-cases.

The truth is, not everyone has a smartphone that can install an authenticator app, or even has a smartphone.

Going through a text-based solution means that anybody with any kind of phone can use the 2FA, which is great.

It actually works in a very similar way to an authenticator app, except that instead of reading a QR code, you provide the site with your number. Every time you log in from then on you’ll get an SMS code for 2FA.

If you’ve been following along though, you’ve probably noticed a few considerable problems with this.

“Required Mobile Number” issue

First off, it requires you to provide your mobile number to a website, which some people may not be comfortable with. Even worse is the fact that some unscrupulous sites may actually use your number for more than 2FA, such as targeted marketing, or worse, selling it off to a third party.

Basically, your number is out in the public sphere from then on as far as you’re concerned.

“Lost Phone” issue

Another big issue is that if you lose your phone, then anybody can just take the sim out, put it in a new phone, and have access to any authentication codes sent to you, including ones for resetting passwords.

You don’t even need to lose your phone for that to happen, as some hacker do attempt phone number takeovers using social engineering on your telecommunications provider.

Even ignoring the malicious aspects, SMS 2FA doesn’t work if you don’t have access to the network, either because you’re in an area with a spotted mobile network, or maybe if you’re traveling abroad.

As you can see SMS 2FA is not an ideal solution.

Authenticator App

We have gone over the basics of the authenticator app, which should give a general idea of how it works.

There are actually a ton of different authenticator apps, with the previously mentioned Google Authenticator and Authy being two of the most well-known ones.Two-Factor Authentication

There is also FreeOTP (OTP standing for ‘one-time-password’) that is completely free and can be used on a desktop too, which is pretty great.

The great thing about this type of 2FA is that it’s not tied to your phone number, so even if your sim or number gets stolen, or you don’t have access to a mobile network, you can still use 2FA.

Since the key and code is stored in your phone, and there’s a new password generated regularly using the time on your phone, you don’t even need a wifi connection to get this technology working.

Of course, there are downsides here too, which is primarily that if your phone dies or gets stolen, you’re out of luck.

“Lost QR Code” issue

The bigger issue though is if you don’t save a printed copy of the QR image or the code, you can lose access completely, so there’s no chance of getting the account back.

At least with SMS 2FA you can transfer your number over to a new phone and get the codes there and you’re set. This is actually one of the reasons a lot of sites encourage adding SMS 2FA.

There is also having to constantly unlock your phone to log in, but that shouldn’t really factor in unless you’re constantly logging into accounts.

Push-Based 2FA

Two steps authenticationIf you’ve heard of push-notifications, then you probably already have a good idea of how 2FA works.

By providing a prompt on your phone through a push-notification, it makes life a bit easier than having to completely unlock your phone and enter the app. All you need to do is approve the prompt and you’re set.

One other nice thing is that it helps avoid Phishing attempts that might be common with SMS or code authentication. Truth is, if somebody can get their hands on that, they just need to pass the code along and they’ll have access.

Since the push-notification doesn’t include a code simple a ‘yes I want to allow access’ sort of prompt, there’s no chance of somebody getting their hands on a code.

There are of course downsides

The primary one is that you do need to have access to the internet in some way, either through a mobile network or WiFi. The second issue is that this isn’t usually something that is standard throughout authentication apps, and you might need to individually download company’s apps to get access to push-based 2FA.

Finally, this system doesn’t work at all with non-smartphones, so it’s harder to apply across the board.

Security Keys & FIDO U2F

So far we’ve mostly been looking at software based 2FA, but there is a form of 2FA that is hardware based. The most modern version is something called Universal two factor authentication or U2F. These keyfob-like devices use either USB, NFC or BlueTooth Low Energy (BTLE) and require you to plug the fob into the PC to get the authentication.

In terms of security, this is an upgrade to the push-based 2FA, although it does work in a similar manner that doesn’t require a code. Once the keyfob has been tied to a site, it will actually check the website to make sure that it is the correct one that it’s connecting to.

Not only that, but each site has its own unique identifier for your keyfob, so even if one key somehow gets cracked, you don’t lose security across the board.

Downsides

Of course, there are certain downsides, the first of which being that this isn’t a common standard and therefore doesn’t have universal support. Really, only Chrome supports U2F at the moment, although Firefox is working on it as well, and we hope some secure browsers do as well.

Also, the W3C, which is the body that standardizes and regulates the internet, is also working on standardizing U2F so it can be universally applied in the future.

The other big issue is that so far, all the software-based stuff we’ve talked about is free, whereas this keyfob costs money, anywhere betsen $10-$20. It’s not much but it isn’t free, so there’s that. Another issue is that a lot of smartphones also don’t necessarily support these keyfobs over NFC and BTLE.

In fact, Apple doesn’t even allow any kind of interfacing with NFC, so iOS devices are relegated to only using BTLE.

Ultimately, U2F through security keyfobs are the best you’re gonna get in terms of security, but they will cost you money, and they are rather inconvenient. Not to mention that you will have to make sure any keyfob you get is supported by both the browser you use and the smartphone you have.

That being said, we wouldn’t consider it a dealbreaker for something that is both phishing proof and excellent in terms of security and privacy.

Backup Codes

Security codeWhile not a main form of 2FA this often exists as a backup. Oftentimes it will take the form of 10 codes you are given by the site that are sort of hard-wired into the authentication.

This allows you to use them when you aren’t around your phone or network, or just can’t get access to any form of 2FA.

Conclusion

As you can see, there are a myriad of different ways to approach 2FA, depending on the device you have and the resources you want to put into it. Aside from adding 2FA, you can also increase your security by always using VPN if you can, as it adds yet another layer of security and nowadays you can’t have enough of it.

Seriously, everything is online, keeping your account and information safe is not a joke!