What it takes to prove you are you, beyond just a password.
What Is Authentication
Authentication is proving who you say you are. There are three factors a system can ask for:
| Factor | What It Is | Example |
|---|
| Something you know | Knowledge | Password, PIN, security question |
| Something you have | Possession | Phone, security key, smart card |
| Something you are | Biometric | Fingerprint, face, iris |
Two-factor authentication (2FA) requires two different factors from that list. Multi-factor authentication (MFA) requires two or more. The terms are mostly used interchangeably.
Why Passwords Alone Aren't Enough
| Problem | How 2FA Helps |
|---|
| Password stolen in breach | Attacker still needs second factor |
| Password guessed | Second factor blocks access |
| Phishing captures password | Without second factor, login fails |
| Keylogger records password | Can't capture hardware token |
| Shoulder surfing | Second factor changes constantly |
2FA means a stolen password is no longer enough on its own. That alone is most of the point.
Types of Two-Factor Authentication
Ranking by Security
| Type | Security | Convenience | Recommendation |
|---|
| Hardware security key | Excellent | Moderate | Best choice for critical accounts |
| Authenticator app | Very good | Good | Great for most accounts |
| Push notification | Good | Excellent | Good balance |
| SMS/Text message | Fair | Excellent | Better than nothing |
| Email code | Poor | Good | Avoid if possible |
Hardware Security Keys
Small physical devices that plug into a USB port or tap on a phone over NFC. They use the FIDO2 / WebAuthn standards.
| Key | Price | Connection | Notes |
|---|
| YubiKey 5 NFC | $50 | USB-A + NFC | Most popular |
| YubiKey 5C | $55 | USB-C | For newer devices |
| Google Titan | $30-35 | USB + NFC/Bluetooth | Good value |
| Solo Keys | $25-40 | USB-A or USB-C | Open source |
Best practices for hardware keys:
| Do | Don't |
|---|
| Buy two keys (backup) | Rely on single key |
| Register both on all accounts | Lose track of which accounts use it |
| Store backup key securely | Keep both keys together |
| Start with most critical accounts | Try to do everything at once |
Authenticator Apps
Apps that generate time-based one-time passwords (TOTP):
| App | Platform | Cloud Backup | Notes |
|---|
| Google Authenticator | iOS, Android | Yes (Google account) | Simple, widely compatible |
| Microsoft Authenticator | iOS, Android | Yes (Microsoft account) | Good for Microsoft ecosystem |
| Authy | iOS, Android, Desktop | Yes (encrypted) | Best backup/sync options |
| 1Password | All platforms | Yes (with subscription) | Integrated with password manager |
| Aegis | Android | Manual export | Open source, local only |
Setting up an authenticator app:
- Account settings > Security > Enable 2FA.
- Choose "Authenticator app".
- Scan the QR code with your app.
- Enter the 6-digit code to verify.
- Save the backup codes in your password manager. Do this now, not later.
SMS and Phone-Based 2FA
| Type | How It Works | Vulnerability |
|---|
| SMS code | Text message with code | SIM swapping, interception |
| Voice call | Automated call reads code | SIM swapping, voicemail hacking |
| Push notification | Approve on phone | Push fatigue attacks |
SMS vulnerabilities:
| Attack | How It Works |
|---|
| SIM swapping | Attacker convinces carrier to transfer your number |
| SS7 attacks | Exploit phone network vulnerabilities |
| Voicemail hacking | Access codes left as voicemail |
| Interception | Government or sophisticated attackers |
SMS is still better than no 2FA at all. But use an authenticator app when the service offers one.
Account-Specific 2FA Setup
High Priority Accounts
| Account Type | Recommended 2FA | Why Critical |
|---|
| Primary email | Hardware key or authenticator | Gateway to all account recovery |
| Password manager | Authenticator app | Protects all other passwords |
| Bank/Financial | Whatever they offer | Direct financial access |
| Cloud storage | Authenticator app | May contain sensitive files |
Setting Up 2FA on Major Services
| Service | Where to Find | Best Option Available |
|---|
| Google | Security > 2-Step Verification | Hardware key, Authenticator |
| Apple | Apple ID > Sign-In and Security | Trusted devices, Hardware key |
| Microsoft | Security > Two-step verification | Microsoft Authenticator |
| Facebook | Security and Login > Two-Factor | Authenticator app |
| Amazon | Login & Security > Two-Step | Authenticator app |
| Twitter/X | Security > Two-factor | Authenticator (not SMS for free) |
Backup Codes
When you enable 2FA, most services hand you a list of backup codes. These are one-time passwords for the day your phone falls in a lake.
Managing Backup Codes
| Do | Don't |
|---|
| Save in password manager | Screenshot on phone |
| Print and store securely | Email to yourself |
| Note which ones you've used | Forget they exist |
| Generate new ones periodically | Share with others |
What If You Lose Access to 2FA
| Situation | Solution |
|---|
| Lost phone with authenticator | Use backup codes |
| Backup codes also lost | Contact account support |
| Hardware key lost | Use backup key or backup codes |
| All methods lost | Account recovery (difficult) |
Always have at least two recovery paths configured before you need them.
Passkeys
Passkeys are a newer standard built on FIDO2 / WebAuthn that replaces passwords entirely. The big platforms (Apple, Google, Microsoft) all support them and sync across devices:
| Feature | How It Works |
|---|
| Biometric unlock | Face or fingerprint on your device |
| Device-based | Private key stored on your device |
| Phishing resistant | Can't be tricked into fake sites |
| No password to remember | Your device handles authentication |
Current Passkey Support
| Service | Passkey Support |
|---|
| Google | Full support |
| Apple | Full support |
| Microsoft | Full support |
| Amazon | Partial support |
| Many banks | Coming soon |
Should You Use Passkeys
| Situation | Recommendation |
|---|
| Tech-savvy, single ecosystem | Yes, start using passkeys |
| Multiple devices, different ecosystems | Wait for better cross-platform |
| Shared accounts | Not yet suitable |
| Confused by the concept | Stick with password + 2FA |
Common Authentication Mistakes
| Mistake | Why It's Dangerous | Better Practice |
|---|
| Same 2FA method everywhere | Single point of failure | Vary methods, have backups |
| Not saving backup codes | Locked out if 2FA fails | Store in password manager |
| Only SMS-based 2FA | Vulnerable to SIM swap | Use authenticator app |
| Approving unknown push notifications | Attacker gains access | Verify before approving |
| Sharing 2FA codes with "support" | Phishing for full access | Never share codes |
Push Notification Fatigue Attacks
The attacker has your password. They log in, again, and again, and again. Each attempt fires a push notification at your phone. Eventually you tap "approve" by reflex or by accident. The 2022 Uber breach started exactly like this.
| Attack Step | What Happens |
|---|
| Attacker has your password | From breach or phishing |
| Repeated login attempts | You get many notifications |
| Exhaustion or accident | You approve one |
| Account compromised | Attacker is now logged in |
Defense:
| Do | Don't |
|---|
| Read each notification carefully | Approve reflexively |
| Check time and location | Approve if you're not logging in |
| Report suspicious activity | Ignore repeated prompts |
| Consider switching to TOTP | If push fatigue is a risk |
Account Recovery Planning
Recovery Method Comparison
| Method | Security | Convenience | Recommended |
|---|
| Backup security key | Excellent | Moderate | Yes, for important accounts |
| Backup codes in vault | Very good | Good | Yes, always save these |
| Recovery email (secured) | Good | Good | Yes, but secure that email too |
| Recovery phone | Fair | Excellent | SIM swap risk |
| Security questions | Poor | Good | Use random answers |
Creating a Recovery Plan
- Primary: password plus authenticator app.
- First backup: backup codes in the password manager.
- Second backup: a second security key, stored separately.
- Emergency recovery: a recovery email, also protected with 2FA.
Biometric Authentication
Types and Security
| Biometric | Security | Convenience | Spoofing Risk |
|---|
| Fingerprint | Good | Excellent | Moderate |
| Face recognition | Good to excellent | Excellent | Varies by implementation |
| Iris scan | Excellent | Moderate | Low |
| Voice | Fair | Good | Higher with AI |
When to Use Biometrics
| Appropriate | Be Cautious |
|---|
| Device unlock | Sole authentication method |
| Confirming purchases | High-security requirements |
| Password manager access | Crossing borders |
| Convenience layer | When coercion is possible |
Biometrics can be compelled. Someone can hold a phone to your face or press your finger on a sensor. PINs and passwords require active cooperation. In US case law that distinction has had real legal weight at borders.
Enterprise vs. Personal Authentication
If you work for an organization:
| Personal Accounts | Work Accounts |
|---|
| You control 2FA setup | Company policy dictates |
| Use personal authenticator | May require specific app |
| Hardware keys are yours | Company may provide keys |
| Backup codes are yours | Follow company procedures |
Keep work and personal separate:
| Do | Don't |
|---|
| Separate authenticator for work | Mix personal and work 2FA |
| Follow company security policies | Use personal key for work |
| Report work account issues to IT | Try to fix work accounts yourself |
Key Takeaways
- Enable 2FA wherever it's offered. It's the single most effective step you can take.
- Hardware keys win, then authenticator apps, then SMS. In that order.
- SMS is better than nothing. Use it where it's the only option.
- Save the backup codes. In the password manager, before you need them.
- Buy two hardware keys. Register both. Store the backup somewhere else.
- Protect your primary email first. It's the recovery path for everything else.
- Push fatigue is real. Never approve a prompt you didn't trigger.
- Plan for recovery. Multiple paths for the accounts that matter.
- Passkeys are arriving. Start using them where they're stable.
- Biometrics are a convenience. Pair them with a PIN, not against one.
Next Steps
Continue to 04-phishing.md for the attack 2FA was designed to defeat: the lookalike login page, the urgent text, the fake CEO email.