An exploratory study aiming to understand people’s adoption and perception of 2FA methods conducted with 20,000 participants at Carnegie Mellon University revealed that while users find 2FA disruptive, they find its usage easy and feel secure because of it.
Prior understanding of 2FA applications (in this case, DUO) changed user perception – users were found to consider 2FA less annoying, easy, somewhat fun, and more secure. On the other hand, non-users admitted to having trouble with using it, but time and effort spent navigating the 2FA app reduced with time and practice.
Another two-week study conducted at Brigham Young University (BYU) by Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons revealed that users who have experience with 2FA tend to be interested in using it long term for sensitive online accounts.
⅓ participants, however, reported that the unavailability of their 2FA device during login caused problems, and ⅔ TOTP users found it (comparatively) insecure.
While user comfort may get compromised with the usage of 2FA, the math suggests that it isn’t just an optional security measure, but a necessary one.
Passwords up to 8 characters long can be cracked within a day, with the usage of dedicated password cracking software. To combat this reality, nowadays password-protected applications, tools, and software force users to create long passwords with a mixture of uppercase and lowercase letters, digits, and special characters.
While this rule reduces the risk of users falling prey to account takeovers, it doesn’t eliminate it. Therefore, the adoption of two-factor authentication becomes necessary – to minimize the possibility of the exploitation of stolen passwords even further.
If you haven’t gone through our one-stop guide for Two-Factor Authentication, here’s the tl;dr: Two-Factor Authentication, or 2FA, is an authentication-based user verification method that makes use of two layers of security instead of one.
Each time a user logs in to their password-protected account, their choice of 2FA provider (hardware-based, software-based, biometric-based, phone number-based, or device-based) makes available a new, time-limited password available to them.
This password could be a PIN, string of characters, or pattern. Only when the user enters both passwords correctly, do they gain access to their accounts.
The main usage of 2FA has been observed in banks, on which Kat Krol, Eleni Philippou, Emiliano De Cristofaro, and M. Angela Sasse from the University College of London wrote a paper.
They observed that 77.8% of the banks they studied employed some or the other 2FA mechanism for online banking, in order to decrease security risks.
These mechanisms range from longer and stronger passwords to OTPs, unique answers, and unique registration numbers. Whatever the method may be, the adoption of 2FA is clearly gaining momentum – and rightly so!
- The main and most obvious benefit of enabling 2FA for user accounts is security. Even if the primary password gets stolen, users can depend on the secondary password for their security. Due to this, stealing one password doesn’t help attackers much, as they can’t gain access to possibly vulnerable accounts with 2FA enabled unless they extract both the passwords.
- Another benefit is reduced expenditure by businesses. With 2FA enabled, in-office work resources can be made accessible to employees from the comfort and convenience of their own homes – or any location. As time changes, so do the definition of a workspace. Nowadays, employee presence in physical offices isn’t important, efficient and good quality work is. For this reason, more and more businesses have started hiring desirable employees who are allowed to work remotely. Sharing resources with them securely can be realized through the usage of 2FA, saving relocation, and transportation costs, if applicable.
- Increased productivity can be attributed to the same reason. As employees are allowed to work from any convenient location, they can perform time-sensitive tasks during the commute. They can also choose to work in environments that boost their analytical or creative skills, even if these environments aren’t formal.
- Lower risk of data leaks can be expected since every user accessing the concerned data would have to undergo an authentication process. Since all users would be aware that the records of this authentication exist, they would be wary of indulging in questionable behavior that may or may not be related to data theft or leaks, as such crimes could be traced back to them.
- The process of enabling 2FA is extremely simple, due to which implementation is easy. Users can choose a suitable 2FA application, select a viable mode of authentication, and link accounts that require protection (ideally, this should be all their accounts). After setting 2FA up, they will start receiving their secondary password each time they sign in.
Two-Factor Authentication codes are usually unique, time-based one-time passwords (TOTP) which are generated by dedicated authenticator applications, whenever a registered user attempts to sign in to any linked account.
In order to enable 2FA for any number of accounts, the first (and most important) step is to choose a secure, easy to use 2FA code generator. The number one reason that discourages users from enabling 2FA is the ease of access. To make the process of choosing a suitable 2FA code generator simple, the following is a list of necessary features to look for, in a 2FA authenticator app.
As explained in our Two-Factor Authentication guide, every 2FA code generator should provide the following:
- Security: The sole purpose of authenticator applications is to increase the security measures associated with any verification-based account.
- Convenience: As users have been observed to feel discouraged from using 2FA apps due to increased complexity, effort and time involved in logging in to their accounts, commercially viable security providers should ensure a smooth UX.
- Compatibility: Potential users could be using any type of system (currently, and in the future) – Android, iOS, Windows, or Mac. It is therefore important to use 2FA applications that are compatible with all types of systems and software.
- Integrity: Not only should authenticator applications guarantee safe and maintainable source codes, but they must also provide prompt support related to the same.
- Backup: 2FA applications must offer backup codes, which are emergency codes that allow users to access their 2FA-protected accounts when they can’t access the authenticator platform. These codes can be printed out to avoid memorization and can be regenerated once a user runs out of the currently available backup codes.
Keeping these factors in mind, observing market performance, reading user reviews and trusting critic opinions, the comprehensive list of best 2FA authenticator applications is as follows:
Developed by Twilio, Authy supports passwords and biometric verification across a range of devices – such as cell phones, tablets, and personal computers (with sync allowed!) – running on iOS, Android, Windows, or Mac. With an average rating of 4.3 out of 5 on the Apple, Google, and Android stores, Authy is a favorite amongst users worldwide.
It is compatible with websites making use of TOTP or Google Authenticator. The Authy app adds icons of websites linked to it whenever a user enables 2FA, and provides the app-specific token available to the user via one touch, to make the app user-friendly. These icons can be manipulated as required (add, rearrange, delete, search).
Authy provides backup/recovery options in the form of both, a secondary registered device and a cloud-based backup. Even the authorization tokens can be encrypted and backed up on the cloud.
Available for both, Android and iOS, Google Authenticator is an extremely easy-to-use authenticator application. Once users have installed it, all they need to do is read a QR code by the app, and verify themselves. After this, they can add their 2FA supported applications for easy access to all authentication code-based accounts.
However, it does not support cloud-sync or multiple device-sync. Backup codes are provided for flexible usage.
Password manager LastPass also provides two-factor authentication services provide cloud-backed 2FA services. Available on Android, the Windows Store, and iOS, it allows users to log in to their accounts using a method of their choosing – 6 digit passcodes, SMS codes, or push notifications.
Leading sites such as Amazon, Facebook, Evernote, Dropbox, and Google can be accessed via one-top push notifications.
Offering two-factor authentication services for multiple accounts, Microsoft Authenticator uses TOTP to secure accounts accessible through Android, iOS and Windows 10 based devices. Microsoft accounts can be verified via a one-tap mechanism, while other accounts can be configured by scanning a QR code.
Protected by an app lock, Microsoft Authenticator allows users to keep a cloud-based backup handy and offers a better user interface.
Free for Android and iOS, Duo Mobile 2FA application offers TOTP, biometric data and single-touch based verification options for its users. The integration of Duo Restore enables restoration and backup for Duo Mobile account data, making its usage highly convenient.
Popular applications such as Snapchat, Google, Amazon, and Slack Messenger can be configured into the application by following a simple setup process involving scanning a QR code, enabling user verification.
For accounts on WordPress websites, the WP 2FA plugin is probably the easiest method of enabling two-factor authentication. It supports popular 2FA code generators such as Google Authenticator, Duo, FreeOTP, etc to make the tool flexible and widely compatible.
With a wizard-driven setup mechanism, WP 2FA makes the initialization process extremely easy for users with a non-technical background. If needed, an instant 2FA setup can be made compulsory for all users.
Even if setting up two-factor authentication feels like a time-consuming task, it’s a necessary step to take. The initial discomfort is worth the high level of security an extra protection layer offers to user accounts, especially at a time when 61% of users admit to reusing their passwords, and 47% fall prey to simple phishing scams.