There are a few different MFA methods you’ll come across and I have them listed out here. This page is meant more as a reference.

Biometrics

Description

This usally isn’t really MFA since usually you can use either a password or biometrics but here we are. Usually biometrics entails either a face scan or fingerprint. Biometrics are a bit of a mixed bag. Fingerprints used to be very easy to bypass. Now I think they are easier than a password but not easy (if you have a device over a couple hundred dollars).

Recovery

Usually you provide either biometrics or a password so you just use the password then reset the biometrics.

Discussion

Usually, these are only to get you into a device that you own and usually all the data is stored only on the device. Specifically, it’s usually stored in the TPM. A TPM is a little chip that can store data and has some processing power and is separate from the devices main memory, storage, processing, etc. The main device will go to the TPM chip and present it the fingerprint unlock attempt and be like “does this pass” and the TPM says yes or no. The TPM is not designed to be backed up or copied (although I bet there are ways to do it to some extent). It’s designed to be a strongbox no one can open.

When you’re biometrics are only stored on a TPM then they are pretty solid for lowkey use cases. The main problem is when the biometrics data leaves the TPM. So that’s why I’m not super enthused about it biometrics. Plus you can’t change these and they tend to be racist. Also you can legally be coopted to use your face/fingerprint to unlock a device while the rules with passwords are tighter.

In general I would highly discourage using a fingerprint unlock as the main protection for your password manager but if you have a computer that doesn’t have anything really sensative on it then it’s fine.

SMS

Description

SMS is just a text message. So if when you log in it sends you a text with a code that you have to type in, this is the method it’s using.

Recovery

If you loose your phone or whatever, this method just assumes that you can get another phone with the same number. So it relies on your phone company for recovery. If the website allows you can also add another MFA method and if you loose your phone number/don’t have signal/whatever you can use the other method.

Discussion

This is generally not a good method of MFA. It’s better than nothing but Oh Boy does it have problems. They ultimately stem from the fact that SMS was never designed to be super secure and TMobile/Verizon never signed up to be identity brokers. If someone calls and sounds panicky and they don’t quite have all the information they should have it’s not uncommon that TMobile will allow them permissions to do things like change what sim card text messages go to. Then the hackers get your text and can log in as you.

TOTP

Description

If you have any of the apps Authy, Google Authenticator, Microsoft Authenticator, or others that are like that, it’s likely using TOTP. TOTP stands for Time-based One-Time Password. The idea is that when you activate it you get a random little key. The app uses the key and the current time to generate a code that you can enter.

Recovery

When you sign up for TOTP the website will give you a set of recovery keys you can use. The idea is you print them out and lock them in a safe or whatever. When you loose your phone you can go to the safe, pull out a code of the piece of paper and when you enter it, the code can get you in. Of course I don’t think almost anyone prints it out. Instead they put it in their password manager.

You can also ignore the backup codes and just use another MFA method if you have another one set up.

Discussion

This method is pretty good. At it’s heart it’s really just a second password but you never see or enter the actual password. Instead you use a derivative of the password that – if someone where to intercept it – does not actually allow you to recover the password itself.

It tends to be much more secure than SMS since there is usually no third party that a hacker can persuade. However, the hacker can still persuade you to give them the code so… there’s still that. Actually, this is becoming a bigger and bigger thing. Also if a hacker hacks whatever device this is one then they can just steal the password from the TOTP app (sometimes).

A big, common, and hard to solve problem is storing TOTP recovery codes in the same password manager where you have your password.

Also, this works without internet so it’s an ideal method of MFA for Cuba since you don’t need to rely as much on internet or phone.

Non-Standard

Description

There are a few non-standard MFA solutions. Usually, the value proposition is that when a login is attempted, the app on your phone gives you a push notification that you can approve or deny. There are a few advantages of this method.

  1. The notification usually comes with an IP address and geographic location and such. So if you get a notification that someone in Poland is trying to log in and you’re in Texas you know somethings wrong.
  2. If you’re sitting at a coffee shop enjoying a scone and you get a notification taht someone tried to log in it’s really obvious that someones trying to hack you.
  3. With most other MFA methods there’s not an easy way to report that someones trying to hack you. With these, you have a deny button and usually that will not only deny the hacker access but shut down your account and send a huge alert to the security team.

Recovery

These methods are usually deployed at a school or something so the recovery method is you talking to IT. With Google and Microsoft (who also have this) I don’t really know…

Of course if you have another MFA method you can just use that.

Discussion

Man it sounds good don’t it? Why doesn’t everyone use it? It’s expensive as fuck (couple dollars per user per month). If you are a school or business then two bucks per employee is fine. If you’re spotify or netflix that’s way too much money. Big companies (Google and Microsoft) make their own apps and so allow all their users to have this flow.

The other disadvantage is that it heavily relies on internet so if you’re in Cuba you might need to try loggin in a couple times (maybe try a different VPN location) before the notification comes.

Hardware Token (Yubikey) The Gold Standard

Description

Hardware tokens are physical devices. You can’t copy it, you can’t back it up, you can’t extract the core key material that’s on it. When you go to a website and you plug your Yubikey (which is the most popular brand) in, the Yubikey does some fancy cryptography crap to prove to the website that it is the key it purports to be. However, if the website is set up stupid then all the Yubikey does is pretend to be a keyboard and type in a long password (one long password per device).

Recovery

You can’t copy, backup, or recover a Yubikey. The only option here is to have another MFA method. Usually what this means is that instead of buying one $50 Yubikey, you actually need to buy two or three $50 Yubikeys. Then you have to register all three with each website.

Discussion

No one can convince you to click a button here. You can’t be convinced to give up key material or make a backup and send it to someone or anything like that. Short of being convinced to physically ship this thing to someone it’s un-phishable. Un-social engineering-able.

It uses open standards. It is the Gold Standard. It is the Golden Goose.

and it’s very difficult to support so not many sites support it. Which is way most of the sites that I tried it on that said they supported it just supported the method where it types in a password. That’s like buying a fast new car and that has a chip in it that prevents it from going over 30mph.

They recently came out with a new standard called WebAuthN. This would allow you to not only use your Yubikey as a second factor, but it can also be used as the hole sheband. Like instead of typing in a username and password you just plug the Yubikey in. More and more phones and computers now a day have been built with TPMs which are basically built in Yubikeys. WebAuthN allows these to be used as hardware tokens. So you get to the login page of the website and you hit a button on your phone and BOOM logged in. Another advantage to WebAuthN is this will become The Way to do MFA. Eventually.