What are my options for two-factor authentication (2FA)?
Which one should I choose?
Choosing what form of 2FA authentication your website or app needs can be difficult. There are four main types of 2FA
and below is an overview of each to help you make an informed choice.
The simplest and most convenient form of two-factor authentication. Also has the option of receiving one-time password via phone call if end user only has access to a landline.
While newer forms of 2FA are gaining popularity, even the biggest companies still default to SMS verification when resetting passwords (yes, Google, I’m talking about you!).
SMS verification is the ideal solution for verifying users during onboarding and login, verifying phone numbers during checkout, verifying users during low-value transactions.
Companies with a global user base should definitely consider using SMS for 2FA, especially if they have users in developing countries - remember that only
⅓ of the world’s population have a smartphone.
SMS verification has received some bad publicity over the past few years due to its vulnerability. We agree, SMS 2FA is not ideal for every situation. It’s most suitable for
verification during onboarding and during low-value transactions (i.e. fintech, e-commerce), where high-levels of security aren’t as important. Check out the
blog post we wrote on this topic.
Straightforward and easy to use
No setup or app download required
Verified phone number tied to user
Not as secure as other forms
User may not always have cell coverage
User not comfortable giving phone number
Authentication apps have become increasingly popular of the last few years. The underlying technology for this style of 2FA is called Time-Based One Time Password (TOTP).
Authentication apps are a more secure form of two-factor authentication but requires you to download and set up an app, so it’s not suited to every use case.
Does not require cell coverage, just an internet connection
OTP stored on the device itself - it can’t get intercepted or redirected
Difficult to replace if phone gets stolen and you don’t have printed backup codes
Internal clocks can desync between device and service resulting in invalid codes
Physical Authentication Keys
The safest form of two-factor authentication that’s starting to become more popular. A physical authentication key is just a small USB key you put on your keychain. Big companies from the technology
and financial sectors are creating a standard known as U2F. With this form of 2FA, whenever you want to log into your account from a new computer, you’ll have to insert the USB key and press a button on it.
A true physical factor
Safest form of 2FA
Not widely supported yet
Not all browsers support
Costs money to buy USB key
Receive a prompt to one of your devices during login. This prompt will indicate that someone (possibly you) is trying to verify. You can then approve or deny the attempt. Some offerings have an estimated
location for the login attempt to increase security.
Push notifications have three main advantages over authentication apps:
- Acknowledging the prompt is slightly more convenient than typing in a code
- Somewhat more resistant to phishing.
- Downloading an app is not always required.
Some solutions don’t require app download
No input required from user
Allows for quicker login
Requires an internet connection
Network-based - can be hacked