Quite a few high profile hacks have rocked the digital world in the last 5 years alone. Some of the most powerful tech giants have seen their fair share of controversy. Response? While ethical hackers are in an eternal race against time to beat their nemesis, users are now being encouraged to use a strong password to reduce chances of their accounts getting compromised. But that’s not enough. More recently, 2FA has emerged as the winner with more and more companies adopt FIDO standards to allow users use a second layer of sign in authentication.
Types of 2FA
2FA stands for two-factor authentication where the user is required to enter a 6-digit code in addition to the user name and password. This code is generated and delivered to the user in various ways:
- 2FA app
- Security key
There are few other types too like fingerprint or retina scan but they don’t work across apps and sites yet. Basically, when you add a second layer of verification or authentication for login, its called 2FA. For the purpose of this article, we will focus on these 3 which are accessible to all users across a number of sites and apps.
I think the SMS is the weakest and here is why. My credit card was once hacked and about $1000 were stolen, or rather used, within 15 seconds. No OTP was ever received! It is becoming increasingly easy to spoof a SIM card and request an OTP which is then delivered to the hacker’s smartphone using a technique called SIM swap.
2FA app is more secure as the code is generated via a mobile app which is installed on your smartphone. This requires the hacker to have either physical access to your phone or steal your user session cookie.
The last one, security key, is the most secure as it uses a hardware security key device, like Yubikey, which works via USB or Bluetooth to verify your sign in. The only problem is that security key devices are expensive and apps are free. Well, in my opinion, 2FA app is still much better than using just a password. This not-for-profit site maintains an actively updated list of all the sites that supports 2FA and in what form. Surprisingly, many prominent banks still don’t support security key or 2FA apps but rely solely on SMS.
1. Notable 2FA Apps
1. Google Authenticator
It is not the best 2FA app in the world, however, it is definitely the most famous one for sure. All thanks to the company behind it which has created an omnipresence on the web.
Google Authenticator works like any other 2FA app. You scan a QR code using the back camera and enter the 6-digit code to verify the process. The first thing that stuck me was lack of app security. This is an important app however there is no way to lock it. Sure I can use an app locker and use pattern lock to unlock my phone. But an app this important, it should come with an app lock.
Another thing is that there is no way to back up the contents or settings of this app in case I am switching phones. I will have to rescan all sites/apps which can be a chore because first, I will have to disable 2FA because I won’t have access to my old phone, so I won’t be able to log in.
The UI is simple and minimalist, like other Google apps which we have come to like and use. There is support for dark theme but it is not true black. It is completely free and ad-free.
- Dark theme
- QR code
- No app lock
- No way to backup
- Now Windows or Mac app
Authy picks up where Google Authenticator leaves. You get the same features and then some more. Authy allows you to take secure cloud backups of your codes which makes it very easy to switch devices, something we do all the time these days. These backups are encrypted.
I own two smartphones and one computer. What I do is scan all codes using Google Authenticator on both the phones, in case I lose access to one. Authy solves this problem by allowing me to sync all codes on multiple devices include Windows and Mac.
The UI is beautiful and colorful. I have to scroll a lot on Google Authenticator to find the required codes. Authy makes it easier by using site logos. They are bigger and easy to find and tap on.
There is widget support however I do not recommend using them. They are easy to spot on the home screen when you are using/sharing your smartphone and might comprise security. Finally, Authy has an option to lock the app which I greatly appreciate. Overall, Authy does a great job and is completely free to use.
On the downside, Authy asks for your mobile number when you register your account. See, Authy assigns itself to your number while Google Authenticator assigns itself to your Google account and your smartphone. Earlier, we discussed how it is easy to spoof a number using SIM swapping but getting hold of your mobile and unlocking it can prove more difficult. This is where Authy loses out. It is less secure than Google Authenticator, and that’s the most important aspect anyway.
- Better UI
- QR code
- App lock
- Backup codes
- Browser support
- Available on Android, iOS, Mac and Windows
- Relies on phone number/SMS to sign in
3. LastPass Authenticator
LastPass made a name for itself for being a stellar password manager, however, the company has been in the news lately for getting hacked and patching multiple security vulnerabilities for both password manager and 2FA app. Still, it is one of the most popular apps and is quite a solid product.
Like Authy, LastPass Authenticator comes with an app lock so that no one can access the app and use the 2FA codes even if they are able to get hold of your phone. You can back up codes which are encrypted and stored in your LastPass account so you can easily switch phones.
What I like about the app is the push notifications that allows you to sign in to your LastPass account with a single tap. You can see it in action in the screenshot above. The one-tap login works for LastPass only.
- Better UI
- QR code
- App lock
- Backup codes
- Windows support
- No native app for Mac
4. Microsoft Authenticator
Microsoft follows suit and offers a UI with logos for common sites and apps which makes it easy to spot and use 2FA codes. While you can backup 2FA codes to your Microsoft account using an iOS device, for some reason, Android was left behind. Does it mean Android is less secure than iOS? I won’t touch that debate with a 10-feet pole.
Finally, there is an app lock built-in so no one can open and use your codes. You can use Microsoft Authenticator without using a Microsoft account and there is no need for registering a SIM card either. Nice.
- Better UI
- QR code
- App lock
- Backup codes (iOS only)
- No backup for Android
2. Notable 2FA Security Key Devices
Yubikey has made a name for itself and is as popular in the 2FA security key world as Google Authenticator is in 2FA apps. Instead of entering codes that are generated on an app, you will use a USB device to authenticate logins. To do so, you will touch the golden ring to authenticate. Easy and works like a charm.
SIM cards are easy to spoof using SIM swapping trick and LastPass has taught us that 2FA apps, though very secure, still aren’t hack-proof. Yubikey solves this problem.
Yubico has different security key devices to offer that work with different technologies like USB A, USB C, and NFC for smartphones. These keys are waterproof, crush-proof, and dust-resistant. They are FIDO U2F compliant and pricing starts $27.
2. Google Titan
Google has come up with their own security key known as Titan. It is FIDO U2F compliant too but there is a difference. There is support for Bluetooth which does take some time to set up but allow users to authenticate logins wireless-ly. There are two models available. Both come with USB and NFC but one also supports Bluetooth.
Google Titan chip is also built-in Pixel 3 smartphones which allows for a better Android security. However, they do not intersect each other at any point which means you can’t use your phone to store 2FA codes for 3rd party apps and sites. Titan security key is available in the US only.
2FA Apps and Security Key Devices
These are some of the best 2FA apps and security key devices available in the market right now. I would recommend Microsoft Authenticator to most users because it supports back ups, has better UI, and is more secure. Google Authentictor is also good. LastPass is recommended for those who use LastPass Password Manager.
If you need a security key instead, I would recommend Yubikey as they are the best, most user-friendly, and are available in a variety of flavors.