The worst is none at all.
I’ve long been a proponent of two-factor (2FA) or multi-factor authentication (MFA). Most commonly it means that in addition to “something you know” — your password — you must also be in possession of something specific — often referred to as “something you have”.
When you have a choice, what should you choose?
Let’s compare the options.
Become a Patron of Ask Leo! and go ad-free!
Dedicated hardware devices are typically the most secure two-factor authentication alternative, but also possibly the least convenient. Google Authenticator and compatible apps are more commonly supported and more flexible. SMS and voice messaging, as well as email notifications, are all viable alternatives as well if Google Authenticator compatible two-factor isn’t offered. What’s most important is that you use two-factor authentication whenever you can.
YubiKey or similar USB devices
YubiKeys are dedicated hardware devices specifically designed for two-factor authentication.
You associate your YubiKey with your online account when you enable two-factor authentication, typically by inserting the key and pressing the button on it when asked. The association is maintained uniquely and securely through the use of cryptography. YubiKeys cannot1 be spoofed.
When it comes time to sign in, the site, service, or application prompts you to insert your key into a USB port and press the button again. Information is exchanged proving you are in possession of your second factor, and you can log in.
The YubiKey and devices like it are probably the most secure of currently available two-factor options. They’re also one of the least convenient, because — very much like a physical key — if you don’t have it, you can’t get in. Yes, that’s the point of two-factor, but as we’ll see, there are alternatives that are a little less inconvenient. Unlike the options that follow, YubiKey is something you purchase. (It’s typically between $20 and $50, depending on the model.)
Google Authenticator and compatible applications are an option if you have a phone or tablet running Android OS, or have an iPhone or iPad.
Conceptually, the application works much like a physical device. You associate the application with your account by scanning a QR code or entering a key. Then, when you sign into your account, you’re prompted to enter the numeric code being displayed by the application. Entering the number proves you are in possession of your second factor: the device that was associated with the account — your smartphone or tablet.
There are several compatible applications that can be used in place of Google’s Authenticator. Of particular note is Authy, which can be installed on multiple devices and synchronizes your authentication tokens across them. You can use any of the devices on which you have the Authy app installed to provide your two-factor code.
Google-Authenticator-compatible two-factor has become one of the most common approaches used by online services. It’s the most convenient for many people and is extremely secure. It’s what I recommend, and what I use myself when given the option.
SMS Text messaging
Texting uses any device capable of receiving an SMS text message as your second factor. You provide your mobile number to the service when you establish your account. At login time, a text message is sent to your phone containing a code. Your ability to enter that code when requested proves you’re in possession of your second factor: the phone.
Should you lose your phone you simply replace it and the number is ported to your new device. Future SMS messages, including two-factor authentication, automatically arrive at the replacement device.
SMS text messaging is generally secure, but it subject to a couple of risks. The most common is what’s called “sim swapping”. This is a social engineering attack where someone calls your mobile provider claiming to be you, and says that you’ve lost the phone. If they successfully impersonate you, your number is transferred to their device, and they start receiving your two-factor (and all other) text messages.
Voice messaging is rare, but when available is a viable two-factor approach for anyone who doesn’t have a smartphone, tablet, or SMS-capable device.
Just like text messaging, when you attempt to sign in, your phone number of record is called, and an automated voice speaks a multi-digit code. Your ability to enter that code proves you have access to your second factor: the phone at that number.
Many online services require you to have an email address for service-related communication. Many of those, including the email services themselves, allow you to configure an “alternate” email address as well.
When used for two-factor authentication, a message with a code or link is emailed to the specified address. Your ability to enter that code, or click on links within the email, proves you are in possession of your second factor: access to that email account.
There are a variety of additional, less frequently used approaches to two-factor authentication. Some that come to mind include:
- A dedicated device that displays a constantly changing number, much like Google Authenticator.
- Pre-printed lists of codes, each of which can be used once.
- Pre-printed grids of randomized numbers. At login time, you’re requested to enter the number at coordinate X/Y.
I’m sure there are others that I haven’t encountered.
Not an alternative
NOT using two-factor authentication should not be considered an alternative.
Even with flaws (SMS being the most common example), any two-factor authentication is better than not using two-factor at all.
Given that any approach to two-factor authentication adds barriers that attackers must overcome, choosing not to use it is choosing to make it easier to hack your account.
So, let’s finally answer the question: what’s the most “effective”? I’ll define effective as secure and convenient (or least inconvenient). From most effective to least, my answer would be:
- Google Authenticator for anyone with a smartphone or tablet. I recommend the compatible Authy app specifically, because it allows you to back up your tokens, and makes switching to a new device very easy.
- YubiKey for anyone needing the extra level of security that only a physical device can provide. This is overkill for most people, hence #2 on my list.
- SMS text messaging for those who have the ability to receive texts.
- Email messaging.
- Voice messaging, if supported.
- Almost anything other than no two-factor at all.
It’s worth pointing out that not all services support all techniques, so you may need to use something lower on the list than you might like simply because the service you’re using doesn’t support the others.
Footnotes & References
1: I use absolutes (“never”, “cannot”, and so on) because that’s the pragmatic reality. Yes, it might theoretically be possible to reverse-engineer technology or brute-force encryption keys, but the fact is that it would take years, if not centuries, of computing power to stand a chance of success.