With the growing number of web sites that are compromised, it’s still shocking to me that web sites don’t have 2 factor authentication, or derivatives of that. Just having a username/password is not good enough. A second authentication, something that you have that’s external to the web site is a must.
However, even with some sites, the method of 2FA is via text message. They’ll SMS the 6 digit code to your cell phone, but that communication mechanism is hackable.
From what I have read, the following are the “safer” mechanisms of getting your 2FA sent to you:
- Push Notification. So far, I have seen two sites which support this. The first is Google, which of course would include gmail, YouTube, or any other Google related web sites. I’ve also seen this on Facebook. The third is WordPress. Why don’t all sites use this mechanism. It seems to be more secure.
- Email notification. Some web sites, most notably sites that are financial in nature, like banks, or insurance, will offer email notification, as a mechanism to send you the code. Email would seem to be more secure than SMS, just as long as the email is via https (which I assume would be most emails).
- Yubikey, which is a hardware USB dongle. I haven’t used this, but it would seem to be the most secure (as there doesn’t seem to be a way a hacker can intercept the communication of a code). The only drawback with this is lack of vendors supporting it. Looks like the only popular ones that support this are Google and Facebook.
- Third party Authenticator. The most popular one is Google Authenticator, which I use all the time. You just need to have the Google Authenticator app handy
Now options 1 and 4 require your cell phone. However, if you lose your cell phone, or change your cell phone, that means you no longer have a mechanism to retrieve your 2FA code. For this reason, these apps will give you backup codes. These are OTP (one time password) backup codes. The idea is that you store this somewhere, outside of your cell phone. Perhaps a little index card you keep in your wallet, or on one of your other devices (PC or iPad).
However, I did find web site, Amazon, who didn’t even offer you backup codes. They do offer 2FA code to Google Authenticator, but the backup is to your cell phone. But what if you don’t have your cell phone … that’s why they have 2FA backup codes in the first place.
I really wish there was an easier way to enable 2FA on various apps. It shouldn’t be that difficult.