The Bitwarden Blog

Top 10 Burning Questions on 2FA

GO
authored by:Gary Orenstein
posted:
Link Copied!

1. What is two-factor authentication (2FA) and how does it protect accounts?

Two-factor authentication (2FA) involves using more than one method to unlock your account. It can also be known as two-step login, two-step verification, or multi-factor authentication, all of which indicate a similar process of allowing account access via more than one step.

The most common implementation of two-factor authentication might be:

  • Signing into a website with your password (something you know)

  • Verifying that sign-in with a special code you received specific to that sign-in attempt (something you have)

In a perfect world, these two paths are independent. A hacker who might have your password from a breach could try and sign in to your account, but they might not have access to your phone where you receive the special code. This would prevent them from access. Later we will discuss verification options stronger than SMS or text messages.

2. What makes 2FA different from other security measures? How reliable is 2FA?

Two-factor authentication expands the login process beyond a single step, making it more secure than simply using a username and password. Most implementations share codes that expire within a set timeframe, adding additional protection.

Two-factor authentication can be extremely reliable based on how it is implemented. For example, common two-factor setups might be to receive a message via SMS, email, an authentication app, or a security key. Each has pros and cons:

SMS

  • Pro: Simple, default for many websites

  • Con: Security-minded folks recognize that this method is vulnerable to SIM-jacking attacks

Email

  • Pro: Simple, easy to set up

  • Con: If your email is compromised as well, this will not protect you

Authenticator App

  • Pro: Simple, easy to set up, some can be used across platforms

  • Con: If you do not have your Authenticator App across multiple devices, you can get locked out of your accounts if a device is lost, stolen, or wiped before you make copies of your authenticator keys

Security Key

  • Pro: Extra secure as a standalone hardware device

  • Con: Without additional two-factor methods, a lost security key could inadvertently lock you out of your accounts

Using two-factor authentication in any form is better than not using it at all, regardless of method.

3. Which type of authentication is more secure: mobile or email notifications?

Acknowledging that this is an opinionated question, generally people recognize SIM-jacking as a real weakness of using mobile phones and SMS/text messages for authentication.

That said, if your email account is not well protected, it too could be susceptible to an attack.

So, across mobile and email, a well-protected email account that also has two-factor authentication would provide more security than mobile SMS messages.

4. What about using authenticator apps? Are they more secure than mobile or email notifications?

Yes, Authenticator Apps are generally more secure than mobile or email notifications, since they are not vulnerable to SIM-jacking and are a completely separate channel from email, which may be more susceptible to hacking.

Some authenticators offer you easy options to backup the original authentication keys, so that you can stay protected if you lose one device.

5. What are the differences between 2FA and two-step verification (2SV)?

Two-factor authentication (2FA), and two-step verification (2SV), and multi-factor authentication (MFA) and two-step login all generally refer to the same process of something beyond one step to log in to an account.

6. If my account is hacked, could hackers share my 2FA information like they do with passwords?

Potentially, depending on how you have it configured. That is why experts recommend unique passwords for every service you use, including your email, your authenticator app, the login of your mobile phone provider, and more.

7. Can hackers steal my 2FA codes without hacking my account? Is this something to be worried about?

Unfortunately, if a hacker gets access to your email and password because of a data breach, there are methods to help the hacker trick you into giving out your 2FA codes. For example, Vice and The Next Web detail hacking schemes that involve such tactics using fake robo calls or SIM-jacking, essentially stealing access to your mobile phone line.

The takeaway? Never give out your two-factor codes if someone calls you, and beware that SMS authentication is susceptible to attack.

8. How can password managers help protect my accounts and 2FA codes?

Password managers help you generate strong and unique passwords for all of your accounts to keep you safe. From there, you only need to remember one main set of credentials for your password manager. Your password manager will help you autofill all of those unique passwords to the sites you visit. Should one site get breached, you only have to change that one password, and not others you may have reused elsewhere.

Of course, you want to set up your password manager with a strong and unique password only for the password manager, and protect your password manager with two-factor authentication.

9. What else should I do to protect my accounts and codes?

Be diligent about the setup of your accounts, the credentials you use, and most importantly, the safe keeping of recovery codes for your password manager and the websites for which you enable two-factor authentication.

One way to test your abilities is to try setting up a brand new device, or using a new browser, and logging into your critical accounts. Are you able to do that quickly and easily? Practice runs will help ensure that you stay protected even with the loss of a computer or smartphone.

10. What happens if I lose access to my email, phone or authenticator app? Is there a way to reset my second factor?

Some websites have recovery mechanisms in place and others do not. Since two-factor authentication purposefully protects your account, many services cannot easily remove it for you.

With end-to-end encrypted applications, loss of two-factor authentication, and loss of your recovery code, can leave you permanently locked out. It would not be an end-to-end encrypted application if there were an alternate way to get in.

In these cases, your own care and diligence remains the best practice for recovery. Many end-to-end encrypted applications like password managers also have features like Emergency Access, which enables delegation of an account to a trusted party in the event you cannot log in to the account. While often used for life threatening emergencies, this option can be used for account recovery, but of course it must be set up in advance.

Additional Resources

To learn more about two-factor authentication with Bitwarden, check out the following posts:

Field Guide to Two-Step Login

Basics of two-factor authentication with Bitwarden

Security Tips2FA
Link Copied!
Back to Blog

Get started with Bitwarden today.

Create your free account

© 2024 Bitwarden, Inc. Terms Privacy Cookie Settings Sitemap

This site is available in English.
Go to EnglishStay Here