What do you use for two-factor authentication?

After writing about modern credential management, we would like to get an impression of your usage of 2FA. What do you use for two-factor authentication? Do you use two-factor authentication at all, or even multi-factor authentication?

  • SMS-based one-time password
  • app-based one-time password (e.g. using FreeOTP)
  • token-based one-time password (e.g. using a YubiKey)
  • U2F (Universal 2nd Factor)
  • Others (please write a comment)

0 voters

I use Authy as my software token for 2-factor authentication. Sure I could use FreeOTP, but I’ll wait until I get my a new phone with Android installed.

I am mainly using Bitwarden, because I haven’t found a way to make me actually use my YubiKey so much and I am using some services requiring Authy.

1 Like

Aegis authenticator for OTP, sms for services where OTP isn’t supported (like my bank).

I want to get a HW key when I have some spare cash.

andOTP - Android OTP Authenticator

You can find them also on our Matrix instance.

3 Likes

I use my password manager to store TOTP secrets when TOTP is the only option available. If U2F is available I’ll set up U2F with Krypton first, and then with one/all of my Yubikeys if multiple keys are supported for a secondary backup.

I am surprised by the low number of answers for SMS in this poll. Many of my accounts like bank and loan companies only offer SMS and no other options. Does everyone else have other options besides SMS on all their accounts?

I don’t actually think any of my accounts are SMS only anymore, no. Honestly though I consider SMS 2FA to be so useless that if it were the only option I’d probably leave it off and just have faith in my password manager. Or delete my account. Maybe that’s misguided, but getting a literal text every time I need to login to something seems so archaic and inconvenient I’ll just deal with a slightly more insecure account.

I know nothing that I need to be secure relies on SMS alone. Either TOTP or U2F.

2 Likes

I use TOTP wherever I can(especially on my social medias and anything related to git). Can’t afford YubiKey. I use Aegis Authenticator now. Still have to use AndOTP because I haven’t migrated everything yet.

I also use KeePassXC’s built-in TOTP. If it alllows me, I also use my email as 2FA.

1 Like

A mix of app-based (Microsoft authenticator) and SMS-based depending on the service since some of them only let you use SMS and others the app.

While I’ve mostly used the one-time password option, I’d prefer to use something like a YubiKey. Saving up money for that! As I’d said on earlier posts, I really need to up my security in general.

Do you think email authentication is any better than text? I had tried TOTP for one service, and I feel silly admitting this, but I could never seem to type in the passcode before it expired! :rofl:

I use TOTP with my password manager so it’s just a matter of + \ on whatever website I’m using to autofill the TOTP code as well. You do get 30 seconds though…

Email authentication seems also pretty terrible, I really hate websites that enforce that.

Definitely get a YubiKey! For some reason I have like 12 U2F keys at this point, 5 of which are YubiKey 4s, and they’re fantastic.

I also highly recommend Krypton authenticator for Android or iOS if anyone’s interested. It’s not gonna be as secure as only using YubiKeys in all likelihood, but if you’re currently just using TOTP on your phone anyways it’ll still be more secure than that, because U2F has a number of security benefits over TOTP just inherently. And it’s very nice to use, just sends you a notification you can accept or deny when logging in.

1 Like

Passwordless authentication with email is pretty bad in my opinion. If they’re going to implement it, they should at least use cryptography(which they don’t usually).

I wrote an article on MFA with foreign accounts(email, SMS, XMPP).

I don’t know how the code is right now (I’m not sure if the latest commits improved the cryptography) but fwiw, the developer for andotp said this two months ago:

I sadly have to admit that the part about the crypto of andOTP being pretty bad is true. This is partially due to the fact that I had absolutely no clue about cryptography and very little coding experience when I forked it. In the beginning I just wanted to add backup functionality but then feature request kept comming in and it kind of snowballed from there. By the point I had enough experience to actually somewhat know what I was doing the code was already pretty bad, which is why I decided to rewrite everything from scratch rather than trying to fix it. Sadly I currently have basically no time to work on it, so this will have to wait.

Just wanted to explain the bad crypto a bit, now I’m off to download [Aegis] and play with it a bit. I’m glad to see that there are more open source 2FA alternatives emerging.

1 Like

If you’re using KeePassXC on your computer, it has built in TOTP so you can just copy & paste (Ctrl + T) really quickly. And I use Aegis on my android which if you hit the entry twice allows you to copy to your clipboard. I imagine other services have similar options. That way you won’t have to run out of time typing it in! :stuck_out_tongue_winking_eye::grinning:

1 Like

OTP Auth in iOS right now. I’ll be switching to Tofu when I get a new phone.

That’s pretty disconcerting. Thanks for the info.

KeePassXC TOTP.