Everyone should be using multifactor authentication (MFA) to further secure their online accounts – especially accounts deemed crucial, such as email and bank accounts. Stronger forms of MFA, which involve using an authenticator app or a hardware key, provide an enhanced layer of protection from would be account takeovers.
In an ideal world, users would always use secure physical keys as a form of MFA when signing into devices, webapps, or web services – however, real-world limitations, such as support for hardware keys, do exist.
However, we have a decent compromise in the form of software-based authenticators, which primarily used time-based one-time codes (TOTP) to authenticate a sign-in attempt. Not all software authenticators are built the same and ideally, users would avoid Google Authenticator, Microsoft Authenticator, and Authy.
At minimum, users are highly encouraged to ditch Authy – and not just because of the Twilio breach compromising Authy codes. Rather, Authy does not allow exportation of existing codes/tokens. Therefore, the more accounts used with Authy, the harder it is/longer it takes to effectively migrate to another solution.
Please remember: migration from Authy is not impossible no matter how many accounts you have. It just requires some time!
Physical keys offer superior secure MFA capabilities.
Generally, physical security keys can use multiple forms of authentication; most commonly, physical keys support Hash/HMAC (based) One Time Password (HOTP) and TOTP for authentication. Physical keys also support U2F and the FIDO2 standard, which can prove resistant to phishing attacks.
Nitrokey is a physical security key based on open-source firmware and software. Firmware installed on the Nitrokey can be exported and subsequently verified. The device is secured with a PIN and is resistant to brute force attacks.
Outside of MFA, Nitrokey has a few uses for enhanced security relevant to privacy and cybersecurity conscious users:
- PGP key storage; sign and encrypt emails
- Encrypted mobile storage
- “Hidden” encrypted storage (just as it sounds)
The Nitrokey hardware functions independently of operating systems, providing resistance against theft, loss, malware, and phishing campaigns.
There are a few Nitrokey models available – each key comes with different features. Most users should find the Nitrokey FIDO2 satisfactory for most authentication applications. However, users are encouraged to view the Nitrokey comparison chart to make an informed decision about which model fits best for their use.
Note: The firmware for the Yubikey is closed-source software. Additionally, the firmware for Yubikeys cannot be updated.
Where possible, avoidthehack tries not to recommend closed-source solutions, but Yubikey has a stellar reputation for security. As of writing, it’s also the most popular physical key. Fortunately, Yubico’s clients are open source; the firmware is closed-source.
There are a few YubiKey models available. Different models include different features, similar to NitroKey models. Users are encouraged to review Yubico’s comparison chart to find the model that suits their needs best.
However, for most users, the SECURITY KEY SERIES and the YUBIKEY 5 SERIES should prove sufficient for most applications.
Like the Nitrokey, the Librem key is based on open-source firmware. Unlike the Nitrokey and Yubikey, the Librem Key offerings are vastly simpplified into one product model.
The Librem key boasts 20+ year of storage time and is the same size as the average thumb drive. For basics, this hardware key can store up to 4096-bit RSA keys and up to 512-bit ECC keys. Like the other recommended hardware keys here, encryption and decryption occurs on the Librem Key itself.
Librem key also features tamper detection, limited password manager storage (up to 16 entries), HOTP token, and TOTP token storage.
Software based authenticators primarily use Time-based One Time Passwords (TOTP) for authentication. They tend to be more convenient while still offering a relative high degree of secure authentication. Generally, they’re designed for mobile devices, such as smartphones.
2FAS is an open-source software authenticator. No account is required for use.
2FAS can automatically sync end-to-end encrypted backups of codes to the cloud (depends on the device, for example, Apple devices will automatically sync to iCloud).
2FAS is available for iOS and Android devices. Though there is no official web version (nor desktop apps), 2FAS has a browser extension for both Chromium and Gecko browsers; the browser extension syncs after pairing with the mobile device.
2FAS does not store passwords or associated metadata and works offline.
Ente Auth is an open-source software authenticator built by the same core developers behind ente.io. Unlike ente’s paid encrypted photo storage service, ente Auth is free.
Tokens/Secrets are end-to-end encrypted and stored using ente’s infrastructure. While ente uses third-party cloud providers as part of their infrastructure, data stored is encrypted without the cloud provider having access to the decryption keys.
Ente Auth is available for iOS and Android devices.
A web version is available for viewing secrets, which is accessible from any internet enabled device; this aspect could make ente Auth a more viable option for users who want more availability from a MFA/2FA authenticator app – especially if their mobile device is lost, stolen, or otherwise not available.
As of July 2023, Raivo OTP has been acquired by “Mobime.” It remains to be seen what will change, if anything.
Raivo OTP is a secure lightweight and open-source authenticator.
It allows for easy addition of codes, supporting scanning of QR codes and manually inputting. It supports adding custom icons for one time passwords and the ability to search one time passwords, making finding the appropriate code easier.
Raivo OTP can sync/backup tokens to iCloud or export tokens to encrypted ZIP archives.
Raivo OTP is only available for iOS and macOS.
Aegis Authenticator is a secure and open-source authenticator.
One-time passwords are stored in an encrypted vault, where users have the option to set a password or encrypt the vault with biometrics (if supported by the device.) For organization, Aegis Authenticator can set a custom icon for each entry or search by account name to locate the appropriate token; additionally, users can create custom groups for further organization and sorting.
Aegis Authenticator supports exporting codes and can be configured to automatically backup codes to a trusted cloud solution, such as Nextcloud.
Aegis Authenticator is only available for Android and is available on both the Google Play Store and F-Droid.
In addition to being a free, open-source, and feature-packed password manager, the premium version of Bitwarden – Bitwarden Premium – offers Bitwarden Authenticator alongside the traditional password manager.
The Bitwarden Authenticator is included in the password manager itself and can handle TOTP authentication just like other dedicated software-based authenticators. Bitwarden Authenticator paired with the Bitwarden password manager makes managing passwords and TOTP codes simple.
Of the software authenticators, Bitwarden has the most portability and device compatibility. It also supports exporting codes and searching for tokens inside the encrypted vault.
However, it’s certainly worth noting Bitwarden Authenticator integrated with the password manager (simplicity) comes with a slightly elevated risk due to passwords and TOTP codes being in one place. In the event a user’s vault is compromised, then this creates a bigger single point of failure – the passwords and the TOTP secrets also become compromised.
To alleviate this risk, users should ensure:
- The master password to their Bitwarden vault is strong and unique.
- This should ideally be a passphrase.
- If feasible, this password shouldn’t be written down anywhere else – at minimum, the master password shouldn’t be stored on the devices with Bitwarden installed.
- Bitwarden recovery codes are stored in a secure location.
- For self-hosting users:
- Ensure the machine hosting the Bitwarden instance is secured
Support strong authentication standards
Hardware keys listed here should support FIDO U2F and FIDO2.
Have open-source clients
Clients used to interact/manage hardware keys listed here should be open-source to promote transparency and leverage the global community to identify flaws/weaknesses. Ideally, the firmware of the key would also be open-source, but open-source firmware isn’t a strict requirement.
Be tamper resistant
Tamper-resistant keys provide enhanced protection from situations where the host machine is compromised and makes cloning the hardware key itself exceedingly harder than it currently is.
Hardware keys listed here should be well-made enough to stand up to normal wear and tear, where users can get reliable years out of them. Specifically, the USB part of the key should be capable of withstanding normal wear and tear associated with being plugged into and removed from devices.
Open-source solutions promote transparency.
No trackers embedded in software
Software authenticators listed here should have no tracking mechanisms/trackers embedded in software.
Allow exporting of codes
Software authenticators should allow easy exporting of TOTP codes/tokens. This helps ensure users are not trapped into a specific authenticator, as is the problem with closed-source authenticators like Authy.
Secure multifactor authentication helps stop malicious account takeovers; it is actually a recommended “basic” to improve any given user’s personal cybersecurity posture.
Users should keep their method of secure multifactor authentication secure. For physical keys, this could include storing the key in a safe place where it would not easily get lost. For software authenticators, this can include ensuring the device where the authenticators “live” is secure and resistant to compromise.
Remember – store backups encrypted and in a safe location! If the safe location is offline, then make sure the storage location is physically secured and a place you have primary access to.
With that said, stay safe out there!