2FA Protection – The Good, The Bad & The Fugly

2FA Security

2FA or two-factor authentication to give it its extended name is an important tool in protecting your online life against hackers, scammers and purveyors of phishing attempts. As well as using your username and password to log into sites and services, 2FA introduces another step by requiring a code on a mobile device or USB device to add an extra step. Not all sites allow 2FA but most email services do and that is a good place to start. Hackers with access to your email can cause havoc. However, 2FA is not foolproof and there are a number of ways a determined hacker can bypass it.

The most common way this can occur is through a SIM-swapping attack. This is where a criminal convinces your mobile provider to give them a SIM card in your name and with your mobile number so that they get all your 2FA codes from websites. Also, most security experts advise against using a code sent to your mobile device via SMS as it is possible for the SMS to be intercepted.
2FAs ride on the back of software and hardware. The latter is generally associated with Yubikey,  a market leader in USB 2FA devices. YubiKey and similar devices eliminate account takeovers by providing strong phishing defence using multi-protocol capabilities that can secure legacy and modern systems. Authentication choices include strong two-factor, multi-factor and passwordless authentication, and seamless touch-to-sign.

USB-based keys do not come cheap which is why most people content themselves with using software-based online services. This involves installing a 2FA software app on a mobile device and the code is updated over a set time period, normally 30 seconds. As you log into your website or service you input username, password and then the code generated by the app.

If you search for 2FA apps online you will find there are dozens, but the top three are Google Authenticator, Microsoft Authenticator and Authy. I use Aegis for reasons I will explain later.

Google Authenticator doesn’t get a good rating on the Google Play Store, just 3.8 out of five, so there’s some improvement needed. The main complaint is that if your phone breaks for whatever reason, it is nigh impossible to transfer the old codes to the new device. Also, Google is well known for data harvesting so why would you trust the company with such sensitive information!

Microsoft Authenticator fares a little better with a score of 4.6, but there are some seriously bad reviews, such as this one: “Constantly have to sign in multiple times daily. Don’t see this window again and stay logged in for 14 days are lies. A complete hassle. Get your life together, Microsoft. Uninstalled itself from my phone, now can’t log back in without the authenticator. This app is complete garbage.”

Authy heralds itself as the best-rated 2FA app and it is one of the market leaders. Because the company sells its product to corporate users, this funds the free to use app on Windows, MACOS, IOS, Android and Linux. Setting up services, like other apps, is through scanning a QR code. For added security, you can enable a backup process that encrypts your data and stores it in the Authy cloud. Authy is also protected by a password but if you cannot remember this, your data is locked forever.

Aegis is only available for Android devices and is one of the most secure 2FA apps/services available. Setting up 2FA protected tokens is easy through QR code capture. So far, so normal. However, where Aegis scores for me is that it can be password protected which securely encrypts your vault. Access can be through entering your chosen password or via biometric sensors such as fingerprints or face unlock.

Like Authy, you can back up Aegis, but choose where you want the backup data stored and there is a function whereby your data can be automatically back up. However, the key factor here is that your data can be exported and imported. So, if you store your Aegis tokens on your phone and decide you want them on a tablet, you can encrypt and export your tokens to a file which can then be imported into your second device.

To watch a video on how to set up and run Aegis, click here.