MFA: Recommended Practices

Healthy-Paranoia
2FA 2SV FIDO2 key MFA Titan key TOTP U2F
Page content

TL;DR

Use a FIDO2-compliant key for every service that supports it. Register multiple keys and properly manage them. For services that don’t support keys, use a password manager that supports TOPTs. Try to never use SMS-based TOPTs but if you have to, try to register a Google Voice number.

Terms & Tech

2 Factor Authentication (2FA) means two things are required to authenticate to a service. Multi-factor Authentication (MFA) means at least two things are required. Universal 2nd Factor (U2F) is a proposed standard for MFA that’s backed by the Fast IDentity Online (FIDO) alliance. The concept for 2FA, MFA, and U2F is you apply something you know (password) with something you possess (the second factor) to authenticate. Most scenarios today include a password plus either a Time-based One Time Password (TOTP) sent via text or generated by an application or hardware device, or a biometric element (e.g. fingerprint), or a physical key that connects via USB or Bluetooth. 2 Step Verification (2SV) is when a second known element is used, such as a personal identification number (PIN). 2SV is not the same as MFA/2FA.

Recommendations

  1. The most secure second factor is a FIDO2 compliant key. Google sells Titan Security Keys. Yubico sells FIDO compliant keys, too. When a U2F key is added to an account, a random number (nonce) is combined with the website’s URL and userID to create a site-specific public/private key pair. The private key is written to the U2F key itself and it’s infeasible for someone to try to reverse engineer that private key. The U2F device protocol also includes a usage counter to count the times the key is used. If a clone is attempted, the key will be rejected because the counter will be lower than the original. The FIDO2 U2F specification is also known as the Client to Authenticator Protocol CTAP1.
  2. Register at least three U2F keys for each account and don’t keep them all in the same place.
  3. Store at least one U2F key as an emergency backup and rotate U2F keys periodically to be sure they all work.
  4. Deregister any retired keys from each account.
  5. Use a password manager (e.g. Password) that stores TOTPs. This makes the codes available across platforms and reduces risk by not storing them all on a single device.
  6. To the greatest extent possible, avoid use of SMS-based TOTPs. This is difficult because SMS-based TOTPs are the original 2FA and many organizations haven’t implemented improved methods like application-generated TOTP or U2F. But it’s critical because SIMjacking is real and a compromised mobile number means compromised second factor.
  7. Use a Google Voice number backed by a U2F secured Google Account if SMS-based TOTP 2FA is the only option offered. This reduces risk if your phone is SIMjacked, disabled, or lost.
  8. Finally, a low/no tech method to add protection to your accounts is to request a verbal passcode or personal identification number (PIN) be added to your account profile. This can defend against social engineering. Because a code or PIN is another thing you know, this is considered 2SV. Select a code or PIN that isn’t obvious and can’t be reverse engineered. Store it in your password manager so you won’t lock yourself out if you forget it. The code should be complex enough so it’s impossible to guess and easy enough to read to a customer service representative. You can include numbers and non-dictionary words, like “giftcard 65 carrotbox” and there’s no need to replace letters with numbers or special characters because they could make it harder for the representative if they have to type the code into their system.