5 min read

Two Factor Authentication (OTP vs U2F vs Biometric)

Two Factor Authentication (OTP vs U2F vs Biometric)

Only relying on a username and password for logging in to your account is not smart. These credentials can be used by everyone once they learn it. Maybe some peeper at work or school watched you type as you logged in. Maybe a virus on your computer is logging what you type. Anybody could log in to your account once your username and password are exposed. 2FA could make it so a security code or a physical device is needed on top of your password, this way, a username and password alone is no longer enough to log into your account.

One Time Password (OTP)

A one time password(OTP) is a security code will either be emailed to you, texted to your phone number, or generated on an app on your phone. Only you should ever know the security code. Of course, this assumes you aren't handing out your email account login and phone to everyone.

Unlike your username and password always being the same, the security code is always changing. For example, the security code could change every 30 seconds or every 5 minutes. This proposes huge benefits. The peepers at work/school who memorized your login information still can't get in if they're logging in a while later. The security code will be different!

Not every service supports 2FA, but many modern websites are catching up with good security standards. If you look through your account's security settings, you might find an option that says something like "2FA", "multi-factor authentication", "request security code on login", "two-step verification", and "2SV". Make sure you turn that on and follow the instructions given. Facebook, Amazon, Google, Chase bank, and Discord all offer 2FA, so make sure to enable 2FA if you use them.

This traditional method of 2FA is not bulletproof. It may help deter run-of-the-mill hackers, but if you're seriously concerned about a determined hacker, consider the following points.

  • If 2FA codes are sent to your phone number, then a determined hacker may call the phone company and try to social engineer them. If successful, they can take over your phone number, thus they receive the 2FA codes.
  • If 2FA codes are sent to your email address, then this just means that a hacker needs to hack your email account as well. Make sure you enable 2FA for your email account!
  • If 2FA codes are generated on your phone via something like Google Authenticator- You scanned a QR code when enabling 2FA. The generated OTP is based on the QR code. If the hacker gets your QR code, then they will have access to your 2FA codes. Thankfully, unless the hacker was watching your screen when turning on 2FA, it isn't exactly easy to get your QR code. They will need access to your phone. They could also brute-force the QR code, but that could be an absurd amount of years with current technology. By the time that tech comes, there will probably be better security options.

FIDO U2F

A FIDO U2F hardware key is a physical device. Connect it to your computer/phone and it will be read from. Now when trying to log into a website, the website will check if the key is plugged in. The key is most often a USB device, but it can come in other forms. It may connect to your computer via USB or you can simply leave it next to your phone with RFID technology. It is much like tapping your phone at stores with Apple Pay or Google Wallet.

The benefit of using a FIDO U2F key is there is usually only ever one copy of the key. This suggests it is extremely unlikely you'll be hacked so long as you keep the key with you and protected. Just leave it in your wallet or on your keychain. Because the key is not virtual, there is little to nothing that a hacker can do about it.

Because a FIDO U2F key is a physical device, you'll need to buy one. You can buy a FIDO compliant U2F key here. This particular model supports connection via RFID so you can use it on your phones. It supports USB connection so it can be used on laptop and desktop computers.

A FIDO U2F key is not bulletproof protection. In the end, it is your computer/phone that is sending the information. You're still vulnerable to hackers who have access to your computer such as through a RAT. A hacker with access to your computer or network can intercept and record the outgoing data. In the outgoing data, they can see your FIDO U2F key's signature. With that information, they can simulate a key then forge internet requests. To best prevent this, you need to secure your computer.

Biometrics

You probably use this form of authentication every day. Biometric authentication is everywhere in modern phones. Fingerprint scanners like seen in Apple's Touch ID. Face scanners like seen in Apple's Face ID. Eye/iris scanners like seen on the Samsung Galaxy S9. Because these phones have the technology built-in, it is readily accessible for apps to use. The Chase bank app and Google Drive offer its use.

The idea of biometric authentication is that only you can authorize authentication. You are the key.

Biometric information is still not bulletproof. Touch ID can be fooled by a forged rubber finger engraved with your fingerprint found on things you touch. Face ID can be fooled by 3D printed heads. A 3D model of your head and be compiled using software and giving it selfie pictures of the target. Even an Iris scanner can be fooled by contact lenses. There is the same problem as mentioned with FIDO U2F keys as well. A hacker with access to your computer/phone can intercept data received by the sensors and forge requests using the intercepted data.

Should I worry about the mentioned problems with 2FA?

I mentioned how all of the forms of 2FA have problems. Biometrics can be forged. U2F keys can be forged. Your phone number can be social-engineered. Now you might be having a tough time deciding which one to pick. It takes a motivated hacker to go through any of this. This takes effort and time for every individual target. It isn't like fake websites or keylogger software that any random person can stumble into.

If the hypothetical target is the average person, you might be right to think it is paranoid to worry about a hacker intercepting biometric data. Then again, you never know what a person is capable of.

What is the best method of 2FA?

All mentioned 2FA forms have flaws. If I had to choose one, I like FIDO U2F physical keys best. It is what I would recommend the most. Notice that my only problem with FIDO U2F keys was hackers that have access to your computer. Such a situation is avoidable. Hackers should only have access to your computer if you're careless. Don't download random software or files on the internet. Don't leave your computer or phone unlocked in public places. Use complicated passwords on your devices. Don't plug in random USB devices found on the street.

Summary

Two-factor authentication requires a second password when logging in. A second password may come in the form of temporary security codes, using a physical key, or using your biometric data.

Two-factor authentication is by no means a perfect solution. All three mentioned types all have their problems. Some of which are avoidable.