Best practices for 2FA (two-factor authentication)

2FA (two-factor authentication) is a secondary authentication method that works in conjunction with your username and password to verify that you are the account owner and provide access. Due to the high number of data breaches, repeated passwords, and stolen personal information, 2FA is becoming increasingly prevalent.

2FA may be given in a variety of ways:

Messaging through SMS/email

The service to which you are attempting to connect will send you a text message with a verification number.

Authenticator for software

The service you are attempting to access will need a verification code generated from time to time. Typically, this is Google Authenticator, although some businesses provide their own authenticators (such as Blizzard). This will usually be software loaded onto a smartphone.

Authenticator for hardware

The service to which you are attempting to connect will need you to push a button on a hardware device such as a Yubikey or RSA SecurID.


Certain services may be set up to provide two-factor authentication using biometric information such as a fingerprint or retina scan.

Each system has its own set of strengths and flaws, as well as advantages and disadvantages.

1. 2FA via SMS or phone call:

This is the most commonly used technique for two-factor authentication. This technique verifies the user’s identification by sending a one-time passcode (OTP) to their cellphone number through SMS text messages or phone calls.

Advantages of SMS two-factor authentication are as follows:

  • Simple to implement and simple to utilize.
  • Due to the fact that 2FA is accomplished through SMS, any user may make use of this security feature.

Disadvantages of SMS 2FA include the following:

  • The primary reason for requiring SMS OTP is phone reception (One-Time Password).
  • You are no longer unable to authenticate in the event of device loss or damage.

In rare instances, hostile individuals may be able to clone your sim card and view any verification messages.

2. 2FA via email:

Two Factor Authentication through email is another popular way for users to get access to their online accounts. As with SMS or phone calls, the user receives an OTP or secret code through email to verify their identity. Occasionally, instead of a passcode, simply click on the unique link included in the email that provides access to the account.

Advantages of email two-factor authentication:

  • Simple to use and implement.
  • Compatible with both desktops and smartphones.

Disadvantages of email two-factor authentication:

  • Unlike SMS/phone calls, receiving a 2FA code requires access to the internet.
  • Another issue is email delivery. There is a chance that the email may end up in spam or will be lost due to a server failure.
  • If hackers gain access to your email account, they may potentially gain access to your 2FA-enabled social media accounts.

3. 2FA through software:

Users must install an application on their computer or smartphone to get a 2FA code using this technique. This program creates tokens for the user dynamically and they expire after a short period. Examples of software include Google Authenticator and Blizzard Authenticator.

Advantages of 2FA software include the following:

  • Simple to use and implement.
  • You do not need to wait for a passcode to be sent to you through email or SMS since it is created automatically in the authenticator program.
  • Cross-platform compatibility – some authenticator apps, such as Authy, operate on both smartphones and desktops. Therefore, even if your smartphone is lost, you may still get the 2FA token by using the program on your computer.

Disadvantages of 2FA software:

  • Not accessible to all users due to the need of a smartphone or computer.
  • Anyone who gains access to your phone or computer has the potential to jeopardize your account.

4. 2FA through hardware:

This technique generates a two-factor authentication token using a physical device such as a key fob or dongle. Typically, they are Yubikeys or RSA Keytags. When a Yubikey is plugged in and the button is pressed, a changing time code is shown on the RSA Keytag.

Advantages of hardware 2FA:

  • It’s simple to put into practice.
  • There is no need for an internet connection.
  • The most secure two-factor authentication technique.

Disadvantages of hardware two-factor authentication are as follows:

  • Setup and maintenance are costly.
  • Devices are prone to being misplaced, forgotten, or lost.

5. 2FA using biometrics:

The real user becomes the token in biometric verification. Typically, fingerprints are used as a 2FA token, although retina, voice, and facial recognition may also be used.

Advantages of biometric two-factor authentication are as follows:

  • The most secure two-factor authentication technique.
  • Since you are the token, this approach is very user-friendly.
  • There is no need for an internet connection.

Disadvantages of biometric two-factor authentication:

  • Storing your biometric data on external servers creates privacy concerns.
  • This technique necessitates the use of specialized equipment such as scanners and cameras.

So which two-factor authentication solution is the best?

While biometric two-factor authentication is the most convenient method for consumers, it does have certain drawbacks. For security reasons, a two-factor authenticator like a password should be changeable. However, biometric data cannot be altered. Additionally, biometric data is not secured in the same way that a password is, particularly in the United States and the United Kingdom. This implies that you will not have the same level of legal protection as if you used a password. Other two-factor authentication methods generate passwords that are protected by law (thereby meaning a court order would be needed to access the data in question by law enforcement who are investigating a crime). Since SMS, email, and software authenticators all need access to third-party software, they often demand some level of connection, which is not always available.

As a consequence, the best practice for implementing two-factor authentication is to use a hardware authenticator. The majority of companies that need increased security will use hardware authenticators since they provide the greatest level of protection, with RSA SecurID being the industry standard for high-security sectors such as communications, defense, and military.

To maintain openness, I use a Yubikey as my second-factor authentication whenever feasible and Google Authenticator when a Yubikey is not accessible.

Found this useful? Share with