In a recent article, How to create and manage strong passwords, I demonstrated how using mnemonics to remember complex passwords or adopting a bitwarden can be used to improve your digital security, and make you a much more difficult target for potential hackers. It is, however, possible to protect your online digital interactions even further, by using Multi-factor authentication (MFA) to add extra layers of security when logging into systems.

Multi-factor Authentication

Rather than using a single method of authentication such as a password, multi-factor authentication requires a user to present two or more pieces of evidence (factors) when logging in or using a device or system. The factors most commonly used are knowledge, possession and inherence, simply put: something a user knows (password), something they have (security token), or something they are (biometric e.g. fingerprint or facial recognition).

This layered approach to security provides the system with increased confidence that the user requesting access is actually who they claim to be. Plus, security is also increased since it is now more difficult for an unauthorised person to gain access to a target system or device. Even if one factor was compromised (e.g. a password was guessed), the attacker would still need to provide another factor, such as a security token, to gain access.

Common factors used for authentication can be broadly grouped into five categories, with the first three below being the most widely used:

  • Knowledge: password or answer to a secret question
  • Possession: security token or hardware key
  • Inherence: any biometric trait such as iris, retina, fingerprint, facial recognition, hand geometry or earlobe geometry
  • Location: current location confirmed when logging into system using a smartphone GPS capabilities
  • Time: current time can be used to prevent online fraud. For example, an ATM card couldn’t be used in Scotland, and then 15 minutes later in Canada.

Two-factor Authentication (2FA)

Two-factor authentication (2FA) is a subset of multi-factor authentication which uses a combination of two different factors to confirm a users identity.

You probably use a variation of 2FA daily without even realising it. For example, when you withdraw money from an ATM you are required to provide two pieces of evidence (factors). Something you know (pin number) and something you possess (bank card). Alternatively, you may have used 2FA when you logged into your email account from a new device. If the website does not recognise the device you are using to login, you are often asked to confirm your identity by entering a one-time code, which is sent via text message to your phone. These are both forms of two-factor authentication.

Many of the online platforms that you use daily, such as Gmail , Facebook , Twitter etc, now offer some form of 2FA, with something you know (password) combined with something you have (e.g. security code), the most common combination used.

For each of these services, the something you know, will be your normal password you use to login. The something you have, will normally be a security code which can be commonly generated in three ways (from most secure to least secure):

Hardware Key

A hardware key, such as a YubiKey is a small device which plugs into your computer or phone, and is used as a second factor to confirm who you are. When logging into a website, you enter your password as normal, and when prompted simply touch the sensor on the hardware key. The key then sends a code to the website to confirm your identity, and if successful, you are granted access to the website.

Yubikey hardware key supports many platforms such as: AWS, Basecamp, Bitwarden, Blogger, Brave, dropbox, Electronic Arts, Epic Games, Facebook, Fastmail, Github, Google,, Instagram, KeePass, LastPass, macOS, Microsoft, Nintendo, ProtonMail, Reddit, SquareSpace, Trello, Twitter, YouTub.

The obvious omission from the list is banking. These are probably the online interactions you would like to secure most, however, surprisingly the sector is lagging behind.

Other examples of hardware keys include OnlyKey .

Software Token

A software token uses an app to generate a security code which can be used as a second factor to confirm your identity. When logging into a website you enter your password as normal, and when prompted, enter a six digit code generated by an authentication app such as Authy . The generated code is only valid for a limited time (normally 30 seconds) so during this time window the website checks the code you supplied against the code on the app, and if the code match you are granted access to the website.

From March 2020, regulations were due to force banks to introduce a form of 2FA for every login. However, the timeline for implementation is likely to be delayed due to the current global pandemic. Many banks will likely not opt for software tokens, instead using the least secure method of 2FA: One time passwords (OTP) sent via SMS.

Other examples include Google Authenticator and FreeOTP (open source).

SMS Text

Some services only support 2FA using SMS text messages which can be used as a second factor to confirm your identity. When logging into a website you enter your password as normal, and when prompted, enter a security code generated by the website, which is sent to your mobile phone via SMS text message. This method of generating a security code is sometimes used as a backup authentication method, should a hardware key or software token be unavailable.

Biometric Security

The third most common factor used for authentication is inherence (something you are). Most mobile phone providers have now implemented some form of biometric security into their devices. However, while fingerprint scanning and facial recognition can provide a convenient, unique and user-friendly way to authenticate users, debate still exits whether they provide a true security enhancement.

In terms of pure entropy , biometric security (found in smartphones) can generate stronger security keys than a bad password. However, you leave biometric data everywhere, everyday. It is unique but not secret (like a password). Given enough time, hackers have shown that it is possible to fool authentication systems with faked biometric data, as demonstrated in 2013 when german hacking team (Chaos Computer Club) managed to break Apple’s Touch ID within 24 hours of it being launched. To make matters worse, a hacker may not even need physical access to your device to create a copy of your biometric data. Jan Krissler, known in hacker circles as Starbug, demonstrated how simple close-range photos of a german ministers hand could be used to reverse engineer her fingerprint .

In 2017, Apple were applauded for transitioning from fingerprint to facial recognition for user authentication. Indeed, Face ID is among the most secure facial recognition systems available for consumer smartphones. However, Face ID suffers from the same problem as fingerprints, your face is not secret. Your iPhone is not the only device that can scan your face, hundreds of cameras do it everyday without your consent. In 2018, Taylor Swift used this to her advantage to identify a stalker. She setup a video kiosk and showed video footage of her rehearsals to fans at her concert. While unknowing fans watched the video, facial recognition was used to cross reference their faces with a database of known stalkers, and identify her stalker. Since then, hackers and researchers have also now managed to bypass Apple’s Face ID by creating copies of biometric data that was ‘good enough’ to fool the system.

It is safe to say, that in the age of social media and surveillance cameras, your face is virtually everywhere and stored in data centres across the globe. Hopefully, your biometric data is safe, however, biometric data breaches have already been reported involving banks, UK Police and defence firms . Airlines have also been targeted, since they collect a lot of biometric data, and are seen as soft targets. While data breaches are not just an issue for biometrics, with passwords also being commonly leaked, there is a big difference. If a password to one of your accounts is compromised, you can simply create a new one and update your account. By contrast, once your biometric data is compromised it effects all your accounts at once, and could have serious repercussions for the rest of your life.

For now, while enterprise level biometric systems can improve corporate security, consumer grade biometric authentication is more of a convenience measure than a security enhancement, something german hacker, Frank Rieger believes:

It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token - Frank Rieger (CCC)


Disclaimer: The advice I am about to share is specifically targeted to subscribers of my mailing list, although it is probably applicable more broadly. I regularly poll my mailing list and respond to their questions regarding their digital habits. If you would like to receive the right advice for you, join the mailing list .

General Tips:

  • Implement 2FA in conjunction with using a Password Manager for all your online interactions
  • Use the most secure method of two-factor authentication available for each online interaction
  • SMS text message should be avoided as the main method of 2FA, since codes will not be encrypted. Use SMS 2FA only when a hardware key or software token are not supported.
  • Have a backup method in case you loose access to an account which is setup to use 2FA. Most services that allow 2FA will provide you with some OTP (one time passwords) when you setup your account with 2fa. For example, Protonmail will give you ten OTP which you can use once, if you are not be able to log in due to a lost hardware key or non functioning authentication app. It is advisable to store these OTP securely, in either the notes field of your Password Manager or on your local hard drive inside an encrypted folder.
  • Use biometric authentication only if you must, and use it cautiously.

Regular risk/skill level (most people): use a software token generated by an app

  • It will provide a second authentication method which is secure and convenient.
  • Will synchronise across your devices (PC \ Mobile \ Tablet).

I recommend Authy . While it isn’t open source, the risk to privacy is fairly low. The only data being synced online is random security keys not personal data.

Increased risk/Advanced skill level: use a hardware key where possible and an open source software token when needed

  • A hardware key will provide the most secure 2FA, although will require more effort to setup
  • This option is going to be less convenient, especially if you are not at your main computer.
  • Many websites do not support hardware keys, so a software token will also be required.
  • No syncing across devices so your data is not stored online.

I recommend YubiKey and FreeOTP or AndOTP . Both software tokens are open source and a little fiddly to setup, but provide the best alternative to a hardware key.

Implementing 2FA in conjunction with using a Password Manager for all your online interactions, is going to drastically improve your digital security.

Using multi-factor authentication contributes to the ‘Protect‘ strategy of my Digital Balance philosophy, which encourages us to:

refine our digital interactions so they continue to support the goals and activities we want to pursue but minimise our exposure to risk and unhealthy relationships with technology

To learn more about the philosophy , and how you can apply the three strategies Compartmentalise, Protect, and Refine to achieve the right balance in your digital interactions, download a copy of my free ebook .