DEV Community

Mustafa ERBAY
Mustafa ERBAY

Posted on • Originally published at mustafaerbay.com.tr

Two-Factor Authentication: 3 Security Differences and a Selection

The other day, while resetting my password on a bank's mobile app, I entered the verification code sent via SMS, as usual. This simple flow is one of the most common forms of two-factor authentication (2FA), the basic security layer for most digital services. However, its widespread use doesn't mean it's the most secure.

Two-factor authentication is a security mechanism that requires users to prove their identity with two different methods when accessing their digital accounts. This system, which ensures an account remains secure even if a single password is stolen or guessed, strengthens authentication by using at least two of the principles: "something you know" (password), "something you have" (phone or key), and "something you are" (fingerprint or facial recognition). In this post, I will explain different 2FA methods, from SMS-based 2FA to Time-Based One-Time Passwords (TOTP) and hardware security keys, the security differences between them, and how to make the right choice for personal use, drawing from my own experiences.

What is Two-Factor Authentication (2FA) and Why is it Vital?

Two-factor authentication (2FA) is an additional layer of security designed to protect your digital accounts from unauthorized access. Essentially, it aims to prevent access to your account even if a password is stolen, because the attacker needs not only to know the password but also to possess a second verification factor. This is a fundamental application of the principle known as "defense in depth" in the security world.

For someone like me, who has worked in system administration and security for years, I've seen countless times how risky it is to rely on a single layer of security. Many users realized their accounts were compromised due to email addresses or weak passwords, but that this could have been prevented with a second factor. Therefore, 2FA dramatically improves an account's security posture and offers a critical mechanism to compensate for the fragile nature of passwords.

ℹ️ The Three Core Factors of 2FA

Two-factor authentication typically uses at least two of the following three categories:

  1. Something You Know (Knowledge Factor): Password, PIN, answer to a security question.
  2. Something You Have (Possession Factor): Smartphone, hardware security key, bank card.
  3. Something You Are (Inherence Factor): Biometric data such as fingerprint, facial recognition, retina scan.

1. SMS-Based 2FA: Ease of Use and Hidden Weaknesses

SMS-based two-factor authentication works by sending a one-time code to your mobile phone when you try to log into an account. This method is widely adopted because it is very familiar and easy for users to implement; most online services offer SMS verification as a standard 2FA option. I see this method everywhere, from banking apps to social media platforms.

However, this ease of use comes with significant security weaknesses. In my experience, SMS-based 2FA is particularly vulnerable to SIM swap attacks. In such an attack, malicious actors manipulate your telecommunications operator to transfer your phone number to their own SIM card. Once they control your number, they can receive all SMS verification codes sent for you and easily access your accounts. In the past, I've observed accounts being compromised among users of one of my side products due to such attacks, leading to serious grievances. This clearly demonstrates that SMS alone is not a sufficient security layer.

⚠️ SIM Swap Attacks Are a Real Threat

SIM swap attacks pose a significant risk not only for personal accounts but also for corporate accounts. Attackers call telecommunication companies with stolen credentials or visit branches with fake documents to port your number to their own SIM cards. This process is often supported by social engineering techniques, and if successful, it renders all SMS-based 2FA protections ineffective. This is a risk factor I always consider when designing network security policies and ZTNA architectures.

Furthermore, SMS messages are often sent unencrypted and carry the potential to be intercepted by third parties (especially malicious insiders or in countries with weak network security) as they travel over mobile networks. Known weaknesses in the SS7 (Signaling System No. 7) protocol allow attackers to redirect or eavesdrop on SMS traffic. These technical details are risks that the average user is unaware of but security experts always consider. Therefore, while I use SMS-based 2FA on the principle of "better than nothing," I always emphasize the need to turn to stronger alternatives for critical accounts.

2. Time-Based One-Time Passwords (TOTP): A Balanced Security Layer

Time-Based One-Time Passwords (TOTP) are a significantly more secure alternative to SMS-based verification. This method works by generating a new code every 30 or 60 seconds via an application running on your mobile phone or a dedicated hardware device. These codes are generated synchronously using a pre-shared secret key (seed) between the server and the device, and an algorithm based on the current time. For example, I use TOTP for some services hosted on my own VPS and for the administration panels of my side products.

Unlike SMS, TOTP applications are not dependent on the mobile phone network; codes can be generated offline. This provides immunity against SIM swap attacks and eliminates the risk of message interception. Applications like Google Authenticator, Authy, and Aegis Authenticator are among the most well-known solutions in this regard. In my experience, I use TOTP for most of my personal and business accounts because it offers a much more reliable balance compared to SMS.

The main weakness of TOTP is that it is not completely immune to phishing attacks. If an attacker creates a fake login page that looks exactly like the real site, and you enter your password and TOTP code on this page, the attacker can immediately access your account by relaying this information to the real site. This still poses a risk, especially for less careful users. Additionally, if the device with your TOTP application is lost or stolen, you may lose access to your accounts if you haven't properly stored your backup codes. That's why I always recommend storing the recovery codes provided during TOTP setup in a secure place.

💡 TOTP Backup Strategies

When setting up your TOTP applications, be sure to store the provided recovery codes in a secure place. Keeping them in a password manager or physically written down in a locked drawer is a good start. Additionally, some TOTP applications (e.g., Authy) can synchronize across multiple devices, allowing you to access your accounts from another device if one is lost. Such features make TOTP usage more resilient.

3. Hardware Security Keys (FIDO/U2F): The Highest Security Level

Hardware security keys are currently the most secure two-factor authentication method available on the market. Developed by the FIDO (Fast Identity Online) Alliance and using U2F (Universal 2nd Factor) or WebAuthn standards, these keys can come in the form of a small USB device, NFC tag, or Bluetooth key that you physically possess. YubiKey and Google Titan Security Key are among the most popular examples in this field. For someone like me, who accesses sensitive data and constantly deals with security risks, using a hardware key for my most critical accounts is an indispensable choice.

The biggest advantage of these keys is that they are almost completely immune to phishing attacks. A hardware key communicates and performs the authentication process only with the correct website (i.e., the correct URL and certificate). If an attacker redirects you to a fake site, the key will not recognize that site and will not authenticate. This feature is made possible by the principles of public-key cryptography, which form the basis of the WebAuthn standard. This means that even if an attacker enters your password and TOTP code on a fake site, your account remains secure because the hardware key will not work there.

Diagram

Hardware keys also have some disadvantages. First, they have a cost, and having multiple keys (for backup) can increase this cost. Also, if they are physically lost, you may experience access problems to your accounts, so I always recommend having at least two keys and storing one in a secure place. Although they are becoming more common, not all websites or services may offer hardware key support; in such cases, alternatives like TOTP or SMS may be necessary. However, for critical email accounts, password managers, and financial platforms, hardware keys are, for me, undeniably the best option.

What are the Key Security Differences Between 2FA Methods?

Different two-factor authentication methods vary significantly in the level of security they offer and their ease of use. Understanding these differences is critical for deciding which method is most suitable for which of your accounts. As someone who has implemented such security mechanisms in both corporate systems and my personal life for years, I have clearly seen that each method has its unique advantages and disadvantages.

The table below compares SMS, TOTP, and Hardware Key methods based on key security and usability criteria:

Feature / Criterion SMS-Based 2FA TOTP (Authenticator Apps) Hardware Security Keys (FIDO/U2F)
Phishing Resistance Low (Code can be entered on fake site) Medium (Code can be entered on fake site, but harder) High (Verifies site URL, resistant to phishing)
SIM Swap Resistance None (Codes intercepted if number is stolen) High (Independent of phone number) High (Independent of phone number)
Interception Risk High (SS7 vulnerabilities, operators) Low (Codes generated offline) Very Low (Uses asymmetric cryptography)
Ease of Use Very High (Anyone can receive SMS) Medium (App setup, QR code scanning) Medium (Insert/tap key, initial setup)
Cost None (With existing phone line) None (Free apps) Yes (Varies from 20-100 USD)
Backup/Recovery If phone number can be recovered Recovery codes or synchronization Backup key is essential
Offline Operation No (Network required to receive SMS) Yes (Codes generated offline) Yes (Physical key is sufficient)

ℹ️ Why is Phishing Resistance Important?

Phishing resistance indicates how resilient you are against an attacker's attempts to redirect you to a fake website to steal your login credentials and verification code. SMS and TOTP codes can be intercepted if entered on the correct fake site at the right time. However, hardware keys provide unique protection against such attacks because they cryptographically verify the site's address (origin). This is a point I constantly emphasize in my cybersecurity training and corporate solutions.

As this comparison shows, each method has its own place. SMS offers the most basic protection, while TOTP provides a more balanced and independent solution. Hardware keys, on the other hand, offer the highest level of security, especially for high-value accounts. As a security expert, I always advise users to choose the most appropriate solution based on their risk profiles.

Which 2FA Method to Choose for Personal Use? A Practical Guide

Which two-factor authentication method you choose depends on the importance of the account you want to protect and your personal risk tolerance. In my years of observation, there isn't a single "best" solution; rather, applying different layers of protection for different accounts is the smartest approach. This is a principle often known as "layered security" and applies not only to system architecture but also to our personal security.

Here's a practical guide for personal use:

  1. Your Most Critical Accounts (Email, Password Manager, Financial Institutions): Hardware Security Key + TOTP Backup

    • Why: Your email account is the recovery point for all your other accounts. Your password manager holds all your digital keys. If these accounts are compromised, your entire digital life is at risk due to a domino effect. Hardware keys offer the highest protection against phishing and are indispensable for such critical accounts.
    • Implementation: Acquire a hardware key like YubiKey or Google Titan. Use it as the primary 2FA method for your main email address, password manager (LastPass, 1Password, Bitwarden, etc.), and banking/cryptocurrency platforms. Always have a backup hardware key and store one in a secure place (e.g., a locked drawer or your safe). For platforms that don't support hardware keys, set up TOTP as a backup.
    • My Approach: I use physical YubiKeys for my main Google account, password manager, and financial platforms. I carry one as my daily key in my wallet and keep the other in a secure place at home. This provides me with both daily practicality and a safety net against loss/theft.
  2. Your Important Accounts (Social Media, Cloud Storage, E-commerce): TOTP (Authenticator Apps)

    • Why: While these accounts may not directly cause financial loss, they can lead to identity theft, embarrassing shares, or data loss. TOTP is a much more secure alternative to SMS and provides protection against SIM swap attacks.
    • Implementation: Download an app like Google Authenticator, Authy, or Aegis Authenticator. Enable TOTP for platforms like Facebook, Twitter, Instagram, Dropbox, Google Drive. Be sure to store the recovery codes provided during app setup in a secure place.
    • My Approach: I use Authy for most of my social media and cloud storage accounts because its ability to sync across multiple devices gives me flexibility in case of a lost phone. I always store my recovery codes in my password manager.
  3. Your Less Critical Accounts (Forums, News Sites, Rarely Used Services): SMS (If No Other Option)

    • Why: Some older or less prioritized services, unfortunately, only offer SMS-based 2FA. In this case, using SMS is still better than no 2FA at all, but be aware of its risks.
    • Implementation: If you are forced to use SMS for such accounts, avoid sharing sensitive information related to these accounts. If possible, use strong and unique passwords for these accounts.
    • My Approach: In my own Android spam app, I've provided TOTP integration so users can use more secure methods instead of SMS verification codes. However, sometimes I find a service that only offers SMS; in such cases, I make sure to link very little personal data to that account.

Conclusion

Ensuring our personal security in the digital world now goes beyond just using a strong password. Two-factor authentication is an indispensable mechanism that strengthens access to our accounts and forms a barrier against a large portion of cyberattacks. Understanding the risks of SMS-based 2FA despite its ease of use, the balanced security layer offered by TOTP, and the superior protection against phishing provided by hardware security keys, enables us to make informed decisions.

Remember, every step you take to protect your digital assets is important. Adopting hardware keys, starting with your most critical accounts, using TOTP for other accounts, and only resorting to SMS as a last resort are the smartest steps you can take in your personal cybersecurity strategy. Security is an ongoing process, and correctly implementing these methods is key to keeping your digital life safe.

Top comments (0)