@July 11, 2024

Two factor authentication or 2FA is often used to improve security on online services. Different methods exist: Text message over SMS, Authenticator apps, Email links, pressing confirm in separate app. But did you know that some are not as secure as others, so which to choose, given a choice?

Which Second Factor Authentication Method is Best?

Each of the methods presented above have their own pros and cons. Let’s look at what technology those 2FA means use and who has access to the message on the way as the key to security is to check which parts of the communication channel are secure.

• Text Message based Authentication (SMS) Sending party → Third-party text message service → Telco Provider(s) → Cell tower → Phone The sending companies often rely on a third party to send out text messages, so that third party has real-time access to the code, then text messages itself are not encrypted, so the telcos (multiple when they’re sharing antennas) will also have access to it, and last there are known attacks on how to intercept text messages over-the-air, so the security of the message from the tower to your phone is also questionable. The sending party also does not usually get a delivery confirmation of the message.
• Internet-based Messaging Services (Telegram, Signal, iMessage, WhatsApp, …)

Sending party → Messaging service → Smartphone

Typically sending messages is straight forward over a (fairly-well) encrypted connection through the internet. If the messaging service employs end-to-end encryption, they won’t even have access to the message. A huge increase in privacy over using cell service.

End-to-end encryption is offered by Signal and WhatsApp by default (WA and other major US companies likely with interception means by state actors), Telegram optionally.

Delivery confirmations of the message are usually also available.

• Authenticator Apps (e.g., Google Authenticator, Microsoft Authenticator, …) Offline A secure shared-key is established when setting up the authenticator. After this, no more communication is required. (Typically only the system clocks have to match up)
• Hardware Tokens (e.g., YubiKey) Sending party → Smartphone → Hardware Key The procedure is typically very secure over the internet with close-to-zero interception possibilities.
• Push Notifications (e.g., Google “Press yes on a device”) Sending party → Messaging service → Smartphone The procedure is as secure as the internet-based messaging service but requires the user to install a separate app to increase convenience (code does not have to be typed back).
• Pre-printed One Time Password (OTP) List Sending party → (Printing service → Postal Service →) User Generally not available anymore but included in the overview since it’s the only 2FA method that does not rely on a device. You’re sent a sheet of paper or print it out yourself with a list of codes. Every time you access the service, you use and cross out a password at the given index in the table. If the sheet of paper cannot be printed by you but is sent by mail, the transfer is unencrypted and as trusted as your mail deliver service is. It then also requires a physical address rather than a phone number.

General Recommendation

For a regular office worker with some but limited IT knowledge, authenticator apps provide a good balance of security, ease of use, and cost-effectiveness. These apps are generally straightforward to set up with step-by-step instructions provided during the setup process. Once configured, they offer a more secure method compared to SMS and do not rely on physical devices that can be lost or forgotten, unlike hardware tokens.

Tabular Overview

All options’ pro/con at one glance

Do you offer an online service and are not sure if you need 2FA or which method suits your users and needs best? Contact us today.

Contact us