The Bitwarden Blog
Top 10 Burning Questions on 2FA
December 28, 2021
Two-factor authentication (2FA) involves using more than one method to unlock your account. It can also be known as two-step login, two-step verification, or multi-factor authentication, all of which indicate a similar process of allowing account access via more than one step.
The most common implementation of two-factor authentication might be:
- Signing into a website with your password (something you know)
- Verifying that sign-in with a special code you received specific to that sign-in attempt (something you have)
In a perfect world, these two paths are independent. A hacker who might have your password from a breach could try and sign in to your account, but they might not have access to your phone where you receive the special code. This would prevent them from access. Later we will discuss verification options stronger than SMS or text messages.
Two-factor authentication expands the login process beyond a single step, making it more secure than simply using a username and password. Most implementations share codes that expire within a set timeframe, adding additional protection.
Two-factor authentication can be extremely reliable based on how it is implemented. For example, common two-factor setups might be to receive a message via SMS, email, an authentication app, or a security key. Each has pros and cons:
SMS Pro: Simple, default for many websites Con: Security-minded folks recognize that this method is vulnerable to SIM-jacking attacks
Email Pro: Simple, easy to set up Con: If your email is compromised as well, this will not protect you
Authenticator App Pro: Simple, easy to set up, some can be used across platforms Con: If you do not have your Authenticator App across multiple devices, you can get locked out of your accounts if a device is lost, stolen, or wiped before you make copies of your authenticator keys
Security Key Pro: Extra secure as a standalone hardware device Con: Without additional two-factor methods, a lost security key could inadvertently lock you out of your accounts
Using two-factor authentication in any form is better than not using it at all, regardless of method.
Acknowledging that this is an opinionated question, generally people recognize SIM-jacking as a real weakness of using mobile phones and SMS/text messages for authentication.
That said, if your email account is not well protected, it too could be susceptible to an attack.
So, across mobile and email, a well-protected email account that also has two-factor authentication would provide more security than mobile SMS messages.
Yes, Authenticator Apps are generally more secure than mobile or email notifications, since they are not vulnerable to SIM-jacking and are a completely separate channel from email, which may be more susceptible to hacking.
Some authenticators offer you easy options to backup the original authentication keys, so that you can stay protected if you lose one device.
Two-factor authentication (2FA), and two-step verification (2SV), and multi-factor authentication (MFA) and two-step login all generally refer to the same process of something beyond one step to log in to an account.
Potentially, depending on how you have it configured. That is why experts recommend unique passwords for every service you use, including your email, your authenticator app, the login of your mobile phone provider, and more.
7. Can hackers steal my 2FA codes without hacking my account? Is this something to be worried about?
Unfortunately, if a hacker gets access to your email and password because of a data breach, there are methods to help the hacker trick you into giving out your 2FA codes. For example, Vice and The Next Web detail hacking schemes that involve such tactics using fake robo calls or SIM-jacking, essentially stealing access to your mobile phone line.
The takeaway? Never give out your two-factor codes if someone calls you, and beware that SMS authentication is susceptible to attack.
Password managers help you generate strong and unique passwords for all of your accounts to keep you safe. From there, you only need to remember one main set of credentials for your password manager. Your password manager will help you autofill all of those unique passwords to the sites you visit. Should one site get breached, you only have to change that one password, and not others you may have reused elsewhere.
Of course, you want to set up your password manager with a strong and unique password only for the password manager, and protect your password manager with two-factor authentication.
Be diligent about the setup of your accounts, the credentials you use, and most importantly, the safe keeping of recovery codes for your password manager and the websites for which you enable two-factor authentication.
One way to test your abilities is to try setting up a brand new device, or using a new browser, and logging into your critical accounts. Are you able to do that quickly and easily? Practice runs will help ensure that you stay protected even with the loss of a computer or smartphone.
10. What happens if I lose access to my email, phone or authenticator app? Is there a way to reset my second factor?
Some websites have recovery mechanisms in place and others do not. Since two-factor authentication purposefully protects your account, many services cannot easily remove it for you.
With end-to-end encrypted applications, loss of two-factor authentication, and loss of your recovery code, can leave you permanently locked out. It would not be an end-to-end encrypted application if there were an alternate way to get in.
In these cases, your own care and diligence remains the best practice for recovery. Many end-to-end encrypted applications like password managers also have features like Emergency Access, which enables delegation of an account to a trusted party in the event you cannot log in to the account. While often used for life threatening emergencies, this option can be used for account recovery, but of course it must be set up in advance.
To learn more about two-factor authentication with Bitwarden, check out the following posts:
Back to Blog