Going beyond passwords to prove you are who you claim to be.
What Is Authentication
Authentication is proving your identity. There are three factors:
| Factor | What It Is | Example |
|---|
| Something you know | Knowledge | Password, PIN, security question |
| Something you have | Possession | Phone, security key, smart card |
| Something you are | Biometric | Fingerprint, face, iris |
Two-factor authentication (2FA) requires two different factors. Multi-factor authentication (MFA) requires two or more.
Why Passwords Alone Aren't Enough
| Problem | How 2FA Helps |
|---|
| Password stolen in breach | Attacker still needs second factor |
| Password guessed | Second factor blocks access |
| Phishing captures password | Without second factor, login fails |
| Keylogger records password | Can't capture hardware token |
| Shoulder surfing | Second factor changes constantly |
Key insight: 2FA means stealing your password isn't enough.
Types of Two-Factor Authentication
Ranking by Security
| Type | Security | Convenience | Recommendation |
|---|
| Hardware security key | Excellent | Moderate | Best choice for critical accounts |
| Authenticator app | Very good | Good | Great for most accounts |
| Push notification | Good | Excellent | Good balance |
| SMS/Text message | Fair | Excellent | Better than nothing |
| Email code | Poor | Good | Avoid if possible |
Hardware Security Keys
Physical devices that plug into your computer or tap on your phone.
| Key | Price | Connection | Notes |
|---|
| YubiKey 5 NFC | $50 | USB-A + NFC | Most popular |
| YubiKey 5C | $55 | USB-C | For newer devices |
| Google Titan | $30-35 | USB + NFC/Bluetooth | Good value |
| Solo Keys | $25-40 | USB-A or USB-C | Open source |
Best practices for hardware keys:
| Do | Don't |
|---|
| Buy two keys (backup) | Rely on single key |
| Register both on all accounts | Lose track of which accounts use it |
| Store backup key securely | Keep both keys together |
| Start with most critical accounts | Try to do everything at once |
Authenticator Apps
Apps that generate time-based one-time passwords (TOTP):
| App | Platform | Cloud Backup | Notes |
|---|
| Google Authenticator | iOS, Android | Yes (Google account) | Simple, widely compatible |
| Microsoft Authenticator | iOS, Android | Yes (Microsoft account) | Good for Microsoft ecosystem |
| Authy | iOS, Android, Desktop | Yes (encrypted) | Best backup/sync options |
| 1Password | All platforms | Yes (with subscription) | Integrated with password manager |
| Aegis | Android | Manual export | Open source, local only |
Setting up authenticator apps:
- Account settings > Security > Enable 2FA
- Select "Authenticator app" option
- Scan QR code with your app
- Enter the 6-digit code to verify
- Save backup codes in password manager
SMS and Phone-Based 2FA
| Type | How It Works | Vulnerability |
|---|
| SMS code | Text message with code | SIM swapping, interception |
| Voice call | Automated call reads code | SIM swapping, voicemail hacking |
| Push notification | Approve on phone | Push fatigue attacks |
SMS vulnerabilities:
| Attack | How It Works |
|---|
| SIM swapping | Attacker convinces carrier to transfer your number |
| SS7 attacks | Exploit phone network vulnerabilities |
| Voicemail hacking | Access codes left as voicemail |
| Interception | Government or sophisticated attackers |
SMS is still better than no 2FA, but use authenticator apps when available.
Account-Specific 2FA Setup
High Priority Accounts
| Account Type | Recommended 2FA | Why Critical |
|---|
| Primary email | Hardware key or authenticator | Gateway to all account recovery |
| Password manager | Authenticator app | Protects all other passwords |
| Bank/Financial | Whatever they offer | Direct financial access |
| Cloud storage | Authenticator app | May contain sensitive files |
Setting Up 2FA on Major Services
| Service | Where to Find | Best Option Available |
|---|
| Google | Security > 2-Step Verification | Hardware key, Authenticator |
| Apple | Apple ID > Sign-In and Security | Trusted devices, Hardware key |
| Microsoft | Security > Two-step verification | Microsoft Authenticator |
| Facebook | Security and Login > Two-Factor | Authenticator app |
| Amazon | Login & Security > Two-Step | Authenticator app |
| Twitter/X | Security > Two-factor | Authenticator (not SMS for free) |
Backup Codes
When you enable 2FA, most services provide backup codes. These are one-time passwords for when you can't use your normal 2FA method.
Managing Backup Codes
| Do | Don't |
|---|
| Save in password manager | Screenshot on phone |
| Print and store securely | Email to yourself |
| Note which ones you've used | Forget they exist |
| Generate new ones periodically | Share with others |
What If You Lose Access to 2FA
| Situation | Solution |
|---|
| Lost phone with authenticator | Use backup codes |
| Backup codes also lost | Contact account support |
| Hardware key lost | Use backup key or backup codes |
| All methods lost | Account recovery (difficult) |
Prevention: Always have multiple recovery methods set up.
Passkeys: The Future of Authentication
Passkeys are a new technology replacing passwords entirely:
| Feature | How It Works |
|---|
| Biometric unlock | Face or fingerprint on your device |
| Device-based | Private key stored on your device |
| Phishing resistant | Can't be tricked into fake sites |
| No password to remember | Your device handles authentication |
Current Passkey Support
| Service | Passkey Support |
|---|
| Google | Full support |
| Apple | Full support |
| Microsoft | Full support |
| Amazon | Partial support |
| Many banks | Coming soon |
Should You Use Passkeys
| Situation | Recommendation |
|---|
| Tech-savvy, single ecosystem | Yes, start using passkeys |
| Multiple devices, different ecosystems | Wait for better cross-platform |
| Shared accounts | Not yet suitable |
| Confused by the concept | Stick with password + 2FA |
Common Authentication Mistakes
| Mistake | Why It's Dangerous | Better Practice |
|---|
| Same 2FA method everywhere | Single point of failure | Vary methods, have backups |
| Not saving backup codes | Locked out if 2FA fails | Store in password manager |
| Only SMS-based 2FA | Vulnerable to SIM swap | Use authenticator app |
| Approving unknown push notifications | Attacker gains access | Verify before approving |
| Sharing 2FA codes with "support" | Phishing for full access | Never share codes |
Push Notification Fatigue Attacks
Attackers bombard you with authentication prompts hoping you'll approve one:
| Attack Step | What Happens |
|---|
| Attacker has your password | From breach or phishing |
| Repeated login attempts | You get many notifications |
| Exhaustion or accident | You approve one |
| Account compromised | Attacker is now logged in |
Defense:
| Do | Don't |
|---|
| Read each notification carefully | Approve reflexively |
| Check time and location | Approve if you're not logging in |
| Report suspicious activity | Ignore repeated prompts |
| Consider switching to TOTP | If push fatigue is a risk |
Account Recovery Planning
Recovery Method Comparison
| Method | Security | Convenience | Recommended |
|---|
| Backup security key | Excellent | Moderate | Yes, for important accounts |
| Backup codes in vault | Very good | Good | Yes, always save these |
| Recovery email (secured) | Good | Good | Yes, but secure that email too |
| Recovery phone | Fair | Excellent | SIM swap risk |
| Security questions | Poor | Good | Use random answers |
Creating a Recovery Plan
- Primary authentication: Password + authenticator app
- First backup: Backup codes in password manager
- Second backup: Secondary security key (for key-based auth)
- Emergency recovery: Recovery email (also secured with 2FA)
Biometric Authentication
Types and Security
| Biometric | Security | Convenience | Spoofing Risk |
|---|
| Fingerprint | Good | Excellent | Moderate |
| Face recognition | Good to excellent | Excellent | Varies by implementation |
| Iris scan | Excellent | Moderate | Low |
| Voice | Fair | Good | Higher with AI |
When to Use Biometrics
| Appropriate | Be Cautious |
|---|
| Device unlock | Sole authentication method |
| Confirming purchases | High-security requirements |
| Password manager access | Crossing borders |
| Convenience layer | When coercion is possible |
Important: Biometrics can be compelled (forced finger on sensor). PINs and passwords require knowledge.
Enterprise vs. Personal Authentication
If you work for an organization:
| Personal Accounts | Work Accounts |
|---|
| You control 2FA setup | Company policy dictates |
| Use personal authenticator | May require specific app |
| Hardware keys are yours | Company may provide keys |
| Backup codes are yours | Follow company procedures |
Keep work and personal separate:
| Do | Don't |
|---|
| Separate authenticator for work | Mix personal and work 2FA |
| Follow company security policies | Use personal key for work |
| Report work account issues to IT | Try to fix work accounts yourself |
Key Takeaways
- Enable 2FA everywhere possible - It's the single most effective security measure
- Hardware keys are best - Followed by authenticator apps, then SMS
- SMS is better than nothing - Use it if it's the only option
- Save backup codes - Store them securely in your password manager
- Buy two hardware keys - Register both, store backup securely
- Protect your primary email first - It's the key to everything else
- Beware push fatigue attacks - Never approve unexpected prompts
- Plan for recovery - Multiple backup methods for important accounts
- Passkeys are coming - Watch for adoption, start using when ready
- Biometrics are convenient, not infallible - Use as one factor, not the only factor