2FA : The Types, Advantages and Best-Use Scenarios
Two-Factor Authentication (2FA) is an essential security measure that adds an extra layer of protection to your online accounts. By requiring two different forms of verification, 2FA significantly reduces the risk of unauthorised access.
However, not all 2FA methods are created equal, and each comes with its own advantages and drawbacks. Below, we explore the most common types of 2FA and make suggestions on where each might best be applied. We also discuss how 2FA is not a panacea for the security issues that we face today.
Email or SMS-Based 2FA
These kinds of 2FA are the simplest to set up. They work by sending a code to your email account or though SMS. You enter the code on the application you’re using, and if successful you will be logged in.
This form of 2FA is the easiest to use. Most users are familiar with emails and text messages, so setup and usage are straightforward. A method of reading email or a basic mobile phone is all you need—no special devices beyond your phone or PC.
There are security vulnerabilities associated with this method however. If an email account is compromised, silently or otherwise, email codes can be intercepted. Given that most email is not encrypted, those in a position to read email traffic can intercept codes. Users often permit SMS messages to be displayed briefly as a notification, even if a phone is locked, thus allowing attackers to intercept codes. In some jurisdictions, SIM swapping attacks present an extra challenge.
For SMS especially, the phone requires a mobile network which may be a limiting factor in its deployment, as a mobile signal is required.
Given these limitations, email or SMS 2FA should be used for low to moderate sensitivity of data or where no other method is possible.
Time-Based One-Time Passwords (TOTP) via Authenticator App
These authenticator apps (such as Google Authenticator, Microsoft Authenticator, or Authy) generate time-sensitive codes that you enter at login. They usually work by combining the time in seconds since Jan 1, 1970 (rounded to the nearest 30 seconds), with a unique secret key, shared between the 2FA device and the server. The result is then run through a hash algorithm (such as SHA1) and the decimal output is truncated to the desired number of digits, e.g. six.
This approach is more secure than email or SMS codes, as no code is sent between the client and server, apart from the unique secret key at the time of setup, so interception and decryption are not effective. The codes are not tied to a phone number and are thus resistant to SIM swapping, or the reliance of a mobile network. Multiple accounts may be configured with a single app, and with the availability of free authenticator apps, setup cost is low.
This approach requires installation and configuration of an TOTP app. This also means that if you lose or reset your phone, you will need to restore from backup (if that facility is available), or set up the app again, requiring another form of 2FA. If the phone is compromised (either by covert screenshots or stolen and unlocked), then the 2FA codes are readable.
Best used by people comfortable with smartphone apps, and those needing more security than Email/SMS 2FA but without specialised hardware (e.g., email accounts, social media, and online banking).
Time-Based One-Time Passwords (TOTP) via a hardware token
These devices are small keychain-based devices that generate codes. They are not vulnerable to malware attacks in the way phones are, and are extremely easy to operate. The secret unique key is difficult to ascertain if the token falls into the wrong hands, but not impossible to retrieve. These tokens require no internet connection or smartphone, thus allowing their use almost anywhere.
TOTP hardware devices also have a greater cost for issuing and rotating tokens, replacing faulty tokens and general device management. If lost or stolen, they usually have no protection from the presentation of a code and thus are readable by anyone.
Push Notification 2FA
Also requiring an app, this method works when logging in, the server will ask the app on your smartphone to prompt you with an “Approve” or “Deny” option or enter a short number that appears on your login device screen.
This method is quite user-friendly, involving a quick tap of a button to approve or deny, or the entering of a short code. It is also immediately apparent to the user that an adversary is trying to use your account, as the app will prompt every time a login attempt is made. If the app simply asks for an approval, it is even easier to use.
The user must be familiar phone apps, and this method will not work without an internet connection. There is also the potential for accidental approval: users might approve a suspicious request without thinking carefully.
This approach is recommended for high-traffic and business environments (e.g., corporate email and collaboration tools), with moderate to high security requirements, where users are comfortable with smartphones and have reliable data connections.
Hardware security keys
These devices are often small, and use a protocol such as USB, NFC or Bluetooth to provide cryptographic verification. They are operated by simply inserting them or tapping on them.
The provide the highest form of security for a single device and are available in certified variants such as FIDO U2F or FIDO2. They are virtually immune to phishing or adversary-in-the-middle attacks. Once configured they are exceedingly easy to operate, as there is usually nothing to enter manually. The devices themselves are tamperproof and are difficult to extract data from.
These keys do have purchase, setup and ongoing maintenance costs, however, as is the case with most hardware tokens. They cannot be backed up, so loss of the key can result in at least temporary loss of authentication to the associated systems. Compatibility with some software and hardware setups can be an issue too.
These keys are best for high security applications, such as sensitive corporate and government systems access, and financial systems.
Biometrics
Biometrics is a broad term that encompasses the physical features of an individual as a security measure. This includes fingerprints, facial recognition and palm vein patterns. Biometric readers are often incorporated into smart phones and laptops, as well as building access systems.
Biometric 2FA systems are very handy as they are easy to use (as simple as requiring a fingerprint touch), and do not by themselves require remembering a password or code.
The potential for false positives and negatives can be problematic, as biometrics can be highly variable (for example, if a fingerprint has a scar or is dirty). Specifically, sometimes fingerprints can be “lifted” from other objects and used to deceive readers.
The biometric solutions themselves should be designed to be secure and private. They must be set up in such a way that if they are compromised, they do not expose actual images used to authenticate users, as the users cannot change their biometrics like they can change their passwords. Well-designed biometric systems make it almost impossible to derive someone’s biometric prints from the data they store, as they use secure hashing to store data. Due diligence is required here on the part of the implementer as well as the user to know which kind of readers are being used.
Biometric readers are often the costliest 2FA systems to purchase, install, and maintain. Care must be taken to choose a well-designed system and maintain it in good working order.
Biometrics are very useful where readers are straightforward to install and maintain, and quick access is required. They work best with another factor (e.g. access card or PIN) to maintain high security.
Which 2FA Method Suits Which Scenario?
To summarise the information above, the 2FA solutions can be classified into the following security categories:
- General, Low-to-Moderate Risk Accounts
- Recommendation: SMS or TOTP.
- Reasoning: Balance of convenience (SMS) and moderate security (TOTP).
- Mainstream Personal Use (Email, Social Media, Cloud Storage)
- Recommendation: TOTP (Authy, Google Authenticator) or Push Notifications.
- Reasoning: Stronger security than SMS, relatively easy to use.
- Business/Enterprise Environments
- Recommendation: Push Notifications or Hardware Security Keys.
- Reasoning: Push notifications facilitate quick authentication and easy deployment; hardware keys provide maximum protection for corporate assets.
- High-Sensitivity Services (Banking, Highly Confidential Data)
- Recommendation: Hardware Security Keys combined with TOTP or Biometrics.
- Reasoning: Critical accounts justify robust layered security. A hardware key offers top-level protection, while TOTP or biometrics add convenience and an additional security layer.
Final Thoughts
2FA enhances security by requiring a second layer of verification, and each method offers a different balance of usability, cost, and security.
Whether you choose the simplicity of SMS or the robust protection of hardware keys, implementing 2FA is an essential step for safeguarding your digital presence. Select the method (or combination of methods) that aligns with your security needs, budget, and user experience expectations.
Author: Damian Wernert
Further Reading: