Which Form of Two-Factor Authentication Should I Use?

FredOnline · 6 Aug 2016, 03:03 AM

http://www.lifehacker.co.uk/2016/08/...n-should-i-use

mekitron · 22 Aug 2016, 09:38 PM

I like e-mailed codes.

jl66 · 22 Aug 2016, 09:50 PM

An opensource app like freeotp is always the best.

mekitron · 23 Aug 2016, 09:58 AM

Quote:

Originally Posted by jl66

An opensource app like freeotp is always the best.

Testing FreeOTP on my Android 4.4.2 device. I am in love with EMD.

David · 23 Aug 2016, 10:58 AM

I have found that that the best form of 2FA to use is none at all!

When trying to get a local sim card to work, a couple of years ago (we were in the UK) we were forced to use 2FA to receive a code by text message. The text message never arrived and we were screwed (although I always carry a backup phone)

2FA is great when it is the choice of the user. When it is forced on you (and it does not work) it is an abomination.

jl66 · 23 Aug 2016, 04:48 PM

Quote:

Originally Posted by David

I have found that that the best form of 2FA to use is none at all!

When trying to get a local sim card to work, a couple of years ago (we were in the UK) we were forced to use 2FA to receive a code by text message. The text message never arrived and we were screwed (although I always carry a backup phone)

2FA is great when it is the choice of the user. When it is forced on you (and it does not work) it is an abomination.

Well, normally using 2FA makes you save an emergency code if something, as you said, will happen. And using an app I use 2 devices with it, in case 1 of them will not work, and of course the emergency code well hidden.

Tsunami · 1 Sep 2016, 08:52 AM

I would say SMS at first reaction. The idea of an emailed code confuses me ; wouldn't that come down to needing to check a code emailed to mailbox A before you can log in to mailbox B?

Also, if one is really suspicious, a mailbox is a virtual "posession" while a Phone is a physical one. I'd trust that more I think ; isn't the whole point of 2FA to have a code sent through a device no one else can possibly access?

jl66 · 1 Sep 2016, 07:00 PM

Quote:

Originally Posted by Tsunami

I would say SMS at first reaction. The idea of an emailed code confuses me ; wouldn't that come down to needing to check a code emailed to mailbox A before you can log in to mailbox B?

Also, if one is really suspicious, a mailbox is a virtual "posession" while a Phone is a physical one. I'd trust that more I think ; isn't the whole point of 2FA to have a code sent through a device no one else can possibly access?

No. For example: you download an app to your smartphone/tablet that syncronize with your email service and offer you a code every 30 seconds. As many security researches have published, SMS is not secure anymore, the app is more secure (but remember that nothing is 100% secure). If someone wants to hack your email then he/she must hack your password and then your mobile phone. It's also a good idea to protect your apps with a code (for example bitdenfender for android also has this option and it's great and reliable).
Interesting: https://techcrunch.com/2016/07/25/ni...tication-over/

Tsunami · 1 Sep 2016, 08:09 PM

Quote:

Originally Posted by jl66

If someone wants to hack your email then he/she must hack your password and then your mobile phone. ]

But then the same goes for SMS, or am I mistaken?

SMS arrives at your mobile Phone, doesn't it?

In any case, using an SMS for 2FA is still a lot more secure than not having 2FA at all, right? (the majority of people will not even use 2FA, since this is something only the ones savvy about security will be concerned about ... Most of my acquintances wouldn't even know what 2FA means)

If one really wishes to play safe, a token is probably the best bet, but if you have a free account at a provider who offers 2FA (for example Gmail) it would be odd that they'd send you the token with it. And a token, being quite small in size, may be easier lost than a mobile Phone. The problem with 2FA seems exactly that: what you know you cannot lose, what you have can be lost and then you're locked out of your own email account.

jl66 · 2 Sep 2016, 01:33 AM

Quote:

Originally Posted by Tsunami

In any case, using an SMS for 2FA is still a lot more secure than not having 2FA at all, right? (the majority of people will not even use 2FA, since this is something only the ones savvy about security will be concerned about ... Most of my acquintances wouldn't even know what 2FA means)

Or course!, you are right.

6 Aug 2016, 03:03 AM	#1
FredOnline The "e" in e-mail Join Date: Apr 2011 Location: Manchester UK Posts: 2,616	Which Form of Two-Factor Authentication Should I Use? http://www.lifehacker.co.uk/2016/08/...n-should-i-use

22 Aug 2016, 09:38 PM	#2
mekitron Senior Member Join Date: Dec 2014 Location: Central City Posts: 162	I like e-mailed codes.

22 Aug 2016, 09:50 PM	#3
jl66 Essential Contributor Join Date: Oct 2013 Posts: 413	An opensource app like freeotp is always the best.

23 Aug 2016, 10:58 AM	#5
David Ultimate Contributor Join Date: Dec 2001 Location: Canada. Posts: 10,355	I have found that that the best form of 2FA to use is none at all! When trying to get a local sim card to work, a couple of years ago (we were in the UK) we were forced to use 2FA to receive a code by text message. The text message never arrived and we were screwed (although I always carry a backup phone) 2FA is great when it is the choice of the user. When it is forced on you (and it does not work) it is an abomination.

1 Sep 2016, 08:52 AM	#7
Tsunami The "e" in e-mail Join Date: Jun 2004 Location: in between the bright lights and the far unlit unknown Posts: 2,341	I would say SMS at first reaction. The idea of an emailed code confuses me ; wouldn't that come down to needing to check a code emailed to mailbox A before you can log in to mailbox B? Also, if one is really suspicious, a mailbox is a virtual "posession" while a Phone is a physical one. I'd trust that more I think ; isn't the whole point of 2FA to have a code sent through a device no one else can possibly access?