Second Factor Options – Google Auth, Yubi Keys, Security Questions…
Second Factor in MFA: YubiKeys vs Security Questions vs SMS Texts vs TOTP Apps
1) YubiKeys (Hardware Security Keys — FIDO2/U2F)
- Strongest protection: public-key crypto; resistant to phishing, SIM-swaps, and replay.
- Hardware bound: requires physical possession; ideal for admins/high-value accounts.
- Fast & reliable: tap/insert; no codes; works offline once registered.
- Broad support: major IdPs (Google, Microsoft, Okta), browsers, and OSes.
- Cost: typically $40–$70 per key; teams need spares.
- Loss/rotation: must plan backup keys and recovery flow.
- Setup/compatibility: legacy apps may lack FIDO support; onboarding non-technical users can take guidance.
2) Security Questions
- Simple: no hardware/app required; familiar to end users.
- Offline fallback: can be used for account recovery where nothing else is available.
- Weak assurance: answers are guessable, researchable, or reused; easy to phish.
- Static “secrets”: once exposed, provide ongoing risk; often poorly stored/validated.
- Deprecated pattern: increasingly discouraged by modern identity standards.
3) SMS Text Messages (One-Time Codes)
- Ubiquitous: works on any phone; near-universal service support.
- Low friction: easy onboarding; no extra apps or hardware.
- Susceptible to takeovers: SIM-swaps, number-port-out fraud, SS7 flaws, insider abuse.
- Coverage dependent: no signal ⇒ no code; delivery can be delayed.
- Phishable: users can be tricked into reading codes to attackers or entering on fake sites.
4) TOTP App Codes (e.g., Google Authenticator, Authy, Microsoft Authenticator)
Time-based One-Time Password (RFC 6238)
- Stronger than SMS: offline after setup; not tied to phone number or carrier.
- Widely supported & free: works with most services; multiple accounts per app.
- Reasonable usability: 6-digit code every ~30s; no special hardware to buy.
- Still phishable: attacker-in-the-middle can relay codes in real time.
- Seed/backup risk: losing device without backups/export of secrets can lock users out; seed theft compromises factor.
- Device management: multi-device sync varies by app; requires secure backup practices.
Summary Comparison
| Factor Type | Security Strength | Phishing Resistance | Cost | Ease of Use | Reliability | Best Fit |
|---|---|---|---|---|---|---|
| YubiKey (Hardware) | ★★★★★ (Highest) | High ( Origin-bound, challenge-response ) | $$ (hardware purchase) | Medium (simple once issued) | Very High (no network needed) | Admins, executives, developers, finance, privileged access |
| TOTP App Codes | ★★★★ | Medium-Low (codes can be phished) | $ (free apps) | Medium (manual code entry) | High (offline; time-sync required) | General workforce; good balance of security & cost |
| SMS Codes | ★★ | Low (SIM-swap/relay risk) | $ | Easy | Medium (coverage & delivery issues) | Low-risk users; temporary fallback only |
| Security Questions | ★ (Lowest) | Very Low | $ | Easy | Low | Legacy recovery scenarios (avoid for MFA) |
Practical Recommendations
- Primary for high-value access: YubiKeys (with at least one backup key and a documented recovery process).
- Default for most users: TOTP app codes (enable secure backup/export of seeds or use enterprise-managed authenticators).
- Fallback only: SMS (use for emergency recovery; monitor for SIM-swap attempts; restrict for admins).
- Avoid as MFA: Security questions (if used at all, limit to secondary recovery with strong KBA controls).
Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.
Anuj Varma – who has written 1261 posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.
Leave a Reply