2FA Overview

Two-Factor Authentication (2FA), also known as Multi-Factor Authentication (MFA) or Two-Step Verification, is an essential security method that requires two distinct forms of verification to grant access to an account. Instead of relying solely on a password (something you know), 2FA adds another factor (something you have or something you are), making your accounts significantly more secure against attacks.

Common Types of Two-Factor Authentication (2FA) and Their Security Levels

There are various 2FA methods, each with its own advantages and disadvantages in terms of security and convenience:

1. SMS-based OTP (One-Time Passcode)

How it works: A one-time passcode (OTP) is sent to your registered mobile phone number via SMS when you attempt to log in. You enter this code on the login page to complete the process.
Security Level: Medium.
- Pros: Very convenient and easy to use for most people as it doesn't require a special app.
- Cons: Vulnerable to attacks like "SIM swapping" (where an attacker transfers your phone number to their own SIM) or sophisticated "phishing" attacks that trick you into entering the OTP on a fake website. Google and security experts recommend avoiding SMS OTP as a primary 2FA method if better options are available.

2. Authenticator App OTP (Time-based One-Time Passcode - TOTP)

How it works: You use a dedicated application (like Google Authenticator, Authy) on your smartphone to generate time-based one-time passcodes (OTP). These codes typically change every 30-60 seconds. You enter the code displayed in the app on the login page.
Security Level: High.
- Pros: Much safer than SMS OTP because the codes are generated locally on your device and not transmitted over the SMS network. It is immune to SIM swapping attacks.
- Cons: Requires you to install and set up a separate app. If you lose your phone, you'll need backup codes or a recovery method.

3. Google Prompt / Push Notification

How it works: When you attempt to log in, a push notification is sent to your registered smartphone. You simply tap "Yes" or "Approve" on your phone to confirm the login.
Security Level: High.
- Pros: Extremely convenient and fast. Safer than SMS as it uses an encrypted channel and is less susceptible to phishing attacks (unless the attacker has physical access to your phone).
- Cons: Requires your phone to have an internet connection and be signed into your Google account (or the respective service's account).

4. Physical Security Key (FIDO U2F/WebAuthn)

How it works: This is a small hardware device (often looks like a USB drive) that you plug into your computer or connect via Bluetooth/NFC to your phone for authentication. When logging in, you simply touch the security key.
Security Level: Very High (Highest).
- Pros: Provides the strongest level of security against phishing and malware attacks. It cryptographically verifies both the user and the website, ensuring you are logging into the legitimate site.
- Cons: Requires purchasing a physical device. Can be inconvenient if you frequently switch devices or forget to carry the key.

5. Biometrics

How it works: Uses your unique biological characteristics such as fingerprints (Touch ID, Fingerprint) or facial recognition (Face ID) for authentication. Often used in conjunction with other methods (e.g., unlocking an Authenticator app with a fingerprint).
Security Level: High.
- Pros: Very convenient and fast. Difficult to steal or replicate.
- Cons: Not a completely independent 2FA factor (often serves as a first or second factor to unlock another factor). There might be a small risk of biometric spoofing in some niche cases.

Popular 2FA Authenticator Apps

If you choose to use OTP codes from an authenticator app, here are some common and reliable options:

Google Authenticator:
- Pros: Free, simple, easy to use, developed by Google, so it integrates well with Google services.
- Cons: By default, it lacks cloud backup for your OTP codes, meaning if you lose your phone or delete the app, you could lose access to your 2FA-enabled accounts (unless you have recovery codes).
- Download: Android, iOS
Authy:
- Pros: Free, offers encrypted cloud backup for your OTP codes and multi-device syncing, which helps prevent loss of access if you lose your phone. Has a more user-friendly interface.
- Cons: Requires creating an Authy account.
- Download: Android, iOS
Microsoft Authenticator:
- Pros: Free, supports cloud backup, integrates well with Microsoft services, and can be used for passwordless sign-in for Microsoft accounts.
- Cons: Primarily focused on the Microsoft ecosystem, but supports other services too.
- Download: Android, iOS

IT's Recommendation

We highly recommend using Google Prompt (for Google accounts) or an authenticator app (like Authy or Google Authenticator) as your primary 2FA method for critical company accounts. These methods offer a great balance between security and convenience.

Always ensure you have set up recovery methods (like backup codes) in case you lose access to your primary 2FA device.

If you have any questions about 2FA or need assistance with setup, please contact the IT department via Jira Service Management on Slack.

Common Types of Two-Factor Authentication (2FA) and Their Security Levels​

1. SMS-based OTP (One-Time Passcode)​

2. Authenticator App OTP (Time-based One-Time Passcode - TOTP)​

3. Google Prompt / Push Notification​

4. Physical Security Key (FIDO U2F/WebAuthn)​

5. Biometrics​

Popular 2FA Authenticator Apps​

IT's Recommendation​