2FA or Two-Factor Authentication Pros and Cons

Two-factor authentication (2FA) and its methods, as well as their pros and cons.

Two-factor authentication is a security process that involves validating an identity by means of more than one factor. It is also written as '2FA' or 'TFA' and is also known as "Two-way" authentication. However, if the factors are the same, this becomes a Two-Step Authentication. A great example is the "security questions" that some applications ask and store in case of password recovery. Here, both things are of the same nature or type. 

So, every two-factor authentication is a two-step authentication but not vice versa. 

Need for 2FA 

Using only a username and password, traditionally, becomes no longer secure with the advent of the widespread use of the Internet. Pocket devices (mobile phones, tablets) as the surface of attack had increased as much as these devices are prevalent now. Also, the ill practices of setting passwords by casual users (using easy-to-break or easy-to-remember or trivial passwords; using the same passwords for several places, never changing passwords for at least a month, and so on) made it easier for attackers or hackers or online hijackers to break-in the passwords (aka brute-forcing) and steal the sensitive information which could be one's banking portal access or email account access, for instance, which could be a nightmare for most of the Internet users. 

Factors 

Here are the possible factors of this process: 

First factor: username and password combination 

Second factor: It could be an additional form of validation, which could be: 

- A PIN (Personal Identification Number) or OTP (One-Time Password) sent using a Short Messaging Service (SMS) using a mobile phone network or an authorized email address. 

- Push Notifications - Approve/Deny from your mobile phone. 

- Biometrics - using fingerprints or thumb impressions, retina scanning, face or voice recognition.  

- Authentication apps such as Google Authenticator, Authy, Microsoft Authenticator, etc. are also used for 2FA. 

Methods for Two-factor Authentication 

1. Security Questions:

They are usually some specifically defined questions whose answers must be given in case you forget your password or if someone wants to break your password; they must know the answers. 

This is quite easy to set up; however, the typical questions could be guessed by someone else if he becomes aware of your mother's maiden name, pet name, first school name, or childhood friend's name personally or through social media. It is recommended that you use password-like answers to your security questions

2. SMS or Email Messages:

This could be a 4- or 6-digit code or some string sent to your mobile and/or email address. Since only you have access to your device (or as long as), you will get the code. This is instant as well—it takes a couple of seconds to a few minutes to have your code. 

However, the drawback is that you must trust the mobile network company that could use your number for advertising purposes. It is also possible that you do not have a cellular network (or signals) available at your current location, and you may need the code. 

3. Time-Dependent OTPs:

This method usually employs an authentication app to scan a QR code. The app decodes the QR code and stores it on your device—the code changes promptly. So when you have to log in, you have to stipulate the code at that instant of time to log in. 

This method makes you cellular-network-independent since the code changes on your device, and you do not have to worry about interception as in the SMS case. Certain apps make it possible to use multiple devices in case you are locked out from one device. However, your phone should have enough battery to be powered during the authentication phase (just like for SMS). Also, if a hacker gains access to your cloned secret key, they could generate the codes from their end. They can finally circumvent the security, especially if multiple login attempts are not blocked. 

4. Universal 2ndFactor (U2F) Keys:

U2F is an open standard used by USB, NFC, and Smart cards. To authenticate, you just have to swipe or touch the card or plug in the USB key. 

This is a physical factor as long as you have it in strong custody, and registering them with a site makes them phishing-proof. They are currently one of the most secure 2FA methods. However, this is not widely used, and sometimes, your device may need the required USB port or may differ from the one your key is made up of. Also, everyone needs help to afford it, especially the more feature-rich ones (e.g., having NFC support).  

5. Push Notifications:

As the name suggests, the notification is pushed to your mobile devices during second-factor authentication, and you just have to approve or decline it. 

This requires your device to be handy, and there is a low chance that a hacker will have to use phone access to approve the request immediately or capture any code or SMS. However, this is network-dependent: your mobile device should have a data or WiFi connection active for this to work. Care must also be taken before approving the notification to see what it is all about. 

6. Biometrics (face or voice recognition, fingerprint, and retina scan)

Fingerprint or retina scans, voice, and face recognition involve biological components and are called Biometrics. Since these are unique for everybody, this is the most accurate way to determine if this is actually 'you,' which you claim to be.  

They are extremely difficult to hack without physical interaction (for example, in the case of a fingerprint), and it is not easy for anyone to do plastic surgery to match one's face. The voice could be adjusted to mimic the victim as a statement usually needs to be spoken out. Replicating the retina is almost impossible. However, compromised biometrics are compromised for life, so this is rarely used for two-factor authentication. You cannot change your fingerprint like you could your phone number. Privacy also concerns people who do not like sharing fingerprints, face, voice, and retina scans with companies. So, using it for everyday apps and services is impossible. 

Conclusion 

For balance, using time-based one-time passwords with an authentication app is the best, provided you have kept backup codes safe. Use an authentication app that supports more than one device. 

For convenience, SMS could be the best choice. Though they could be intercepted or depend upon mobile network reach, they are quick, easy, and better to use than relying on single-factor authentication (username and password only). 

For maximum privacy and security, U2F keys are recommended. You can only be tracked through them by providing your personal information for use. However, they are heavier in your pocket. 

If you have a stable network connection and sharp eyes, you can also rely on Push Notifications. 

Do not rely on Security Questions as a second-factor method. If some site or app requires them, you could provide "incorrect" or indirect answers or use password-like answers for them. Also, use online or local Password Managers to store the answers.