2FA is good, but SMS is one of the worst options. SMS is interceptable, fakeable, and requires a phone connected to network, which, by merit of being carried around, is less secure than, say, a PC located at home, behind a closed door, or, even better, a secondary offline PC locked in a safe. TOTP or things like digipass are a lot better. Actually, after writing the above comment, I’ve went to bully my bank to consider adding TOTP as 2FA option, and, in the discussion, they’ve admitted that they’ve had state actors tampering with SMS messages before, hence why they’ve added an additional layer of 4-digit PIN codes on auth, which is dumb, but is telling of how secure SMS messages really are.
Better than that is certificate based 2FA. FIDO keys like yubikeys are a good example. The challenge goes into the key, the response comes out. The certificate on the key that is used to process the challenge never leaves the device where it is located.
TOTP is nice that you can enroll several devices and have backups, something that can be easily solved with FIDO by simply having multiple of them. When the keys go for something like $30 USD and provide some of the best security, there’s no reason not to use it. It’s simply too cheap not to.
TPM leveraged to use webauthn is an up and coming technology, similar to FIDO it uses key based security and the vault is secured, usually with biometrics integrated into the system. Of course, that’s not exactly portable, so IMO, that’s a good option for convenience and having a pair of FIDO keys, one to carry, one as a backup, is a good secondary/on-the-go option.
TOTP and similar tech has been around forever. RSA keyfobs have been issued by banks for corporate accounts for a long time, since before SMS authentication was in use. It’s basically mobile TOTP (six digit rotating code every 30s or so) as a standalone device. Banks support (or at least supported) this. Yet, TOTP is basically unheard of from banks or governments, and you can forget about certificate based authentication.
Bluntly, I have better login security on my email, Twitter, Twitch… Even snapchat accounts than I do with my bank. All are at least TOTP. The problem, I find, with TOTP is that people don’t think about where the information is being stored, so it’s entirely possible they could lock their TOTP behind a login secured by their TOTP. It’s the same thing with password managers. Don’t put either your password manager login, nor your recovery email account into your password manager. Secure both with something else that doesn’t require a either to work. Hardware keys are a good option. I have a few FIDO keys now. I bought the Google Titan key and used it to lock down both my email and password manager. Both my email and password manager have complex, memorable, and most importantly, long, password phrases. Everything else is on my password manager and either secured by it’s TOTP, or, if available, one of my security keys. The Titan is good because when you buy it, you get two. One USB/NFC, and one keyfob style that is USB and Bluetooth. I’ve added a FIDO2 yubikey 5 for my work accounts and bluntly, I sleep very well knowing my online life is safe.
The only reason I don’t concern myself about my bank is the long and complex password I use, coupled with the fact that anyone breaking into my accounts will not get anything but sadness from the experience. I know that’s always my reaction looking at my balance.
2FA is good, but SMS is one of the worst options. SMS is interceptable, fakeable, and requires a phone connected to network, which, by merit of being carried around, is less secure than, say, a PC located at home, behind a closed door, or, even better, a secondary offline PC locked in a safe. TOTP or things like digipass are a lot better. Actually, after writing the above comment, I’ve went to bully my bank to consider adding TOTP as 2FA option, and, in the discussion, they’ve admitted that they’ve had state actors tampering with SMS messages before, hence why they’ve added an additional layer of 4-digit PIN codes on auth, which is dumb, but is telling of how secure SMS messages really are.
Better than that is certificate based 2FA. FIDO keys like yubikeys are a good example. The challenge goes into the key, the response comes out. The certificate on the key that is used to process the challenge never leaves the device where it is located.
TOTP is nice that you can enroll several devices and have backups, something that can be easily solved with FIDO by simply having multiple of them. When the keys go for something like $30 USD and provide some of the best security, there’s no reason not to use it. It’s simply too cheap not to.
TPM leveraged to use webauthn is an up and coming technology, similar to FIDO it uses key based security and the vault is secured, usually with biometrics integrated into the system. Of course, that’s not exactly portable, so IMO, that’s a good option for convenience and having a pair of FIDO keys, one to carry, one as a backup, is a good secondary/on-the-go option.
TOTP and similar tech has been around forever. RSA keyfobs have been issued by banks for corporate accounts for a long time, since before SMS authentication was in use. It’s basically mobile TOTP (six digit rotating code every 30s or so) as a standalone device. Banks support (or at least supported) this. Yet, TOTP is basically unheard of from banks or governments, and you can forget about certificate based authentication.
Bluntly, I have better login security on my email, Twitter, Twitch… Even snapchat accounts than I do with my bank. All are at least TOTP. The problem, I find, with TOTP is that people don’t think about where the information is being stored, so it’s entirely possible they could lock their TOTP behind a login secured by their TOTP. It’s the same thing with password managers. Don’t put either your password manager login, nor your recovery email account into your password manager. Secure both with something else that doesn’t require a either to work. Hardware keys are a good option. I have a few FIDO keys now. I bought the Google Titan key and used it to lock down both my email and password manager. Both my email and password manager have complex, memorable, and most importantly, long, password phrases. Everything else is on my password manager and either secured by it’s TOTP, or, if available, one of my security keys. The Titan is good because when you buy it, you get two. One USB/NFC, and one keyfob style that is USB and Bluetooth. I’ve added a FIDO2 yubikey 5 for my work accounts and bluntly, I sleep very well knowing my online life is safe.
The only reason I don’t concern myself about my bank is the long and complex password I use, coupled with the fact that anyone breaking into my accounts will not get anything but sadness from the experience. I know that’s always my reaction looking at my balance.