Tech Solvency / MFA

MFA - Multi-factor Authentication

You should enable multiple authentication factors wherever feasible.

Methods, in roughly preferred order for security strength:

• Security keys
  • Work offline, and not subject to most phishing attacks
  • Phones as security keys
  • YubiKeys
• TOTP / HOTP
  • Works offline, but still vulnerable to phishing - and can be lost if phone is lost
  • OneLogin's description of TOTP vs HOTP
  • Apps to store TOTP codes:
    • Authy - allows backup across multiple devices
    • Google Authenticator
    • Microsoft Authenticator
    • Yubico Authenticator
  • YubiKeys also support a unique OTP that predates U2F/WebAuthn.
    • The YubiKey presents to the OS as a keyboard, and a long string of characters are sent directly to the system
    • Some older integrations only support this "YubiKey OTP"
• Email
  
  • Requires Internet access - and can also still be phished
  • Ideally, itself protected in turn by "harder" factors.
  • Providers known to support strong MFA include:
    • Gmail - including their Advanced Protection Program, strongly recommended
    • Hotmail/Outlook - only allowed as single factor :(
    • Apple / iCloud mail - requires Apple device as a second factor
    • Yahoo / AOL (same platform) - supports YubiKey/U2F, phone, backup email as second factors
    • Pobox.com
    • Fastmail (including strong support for security keys)
    • For a larger list, see dongleauth.info's email support list
• SMS
  • Can work without Internet access but requires phone connectivity - and still vulnerable to phishing
  • Still better than no second factor at all
  • Depending on your threat model, disclosing phone numbers to companies is itself a security/correlation/metadata risk (unless the service already knows your phone number)

References

• twofactorauth.org - lists which major sites support which kinds of MFA
  See also its fork dongleauth.info, which gets more specific about support for hardware security keys.
• What to consider before enabling MFA (Stuart Schechter)
• NCSC MFA guide
• Microsoft ADFS auth methods (includes list of third-party authentication providers)
• I've Locked Myself Out of My Digital Life
• Two-Factor Authentication and the Police State
• MFA (CISA)
• Making sense of the alphabet soup within authentication and modern MFA (Yubico)

For people in the Google ecosystem, I also strongly recommend their Advanced Protection Program. This enables additional enforcement, but be aware that you should have multiple keys enabled, to reduce the chances that you will lose access to all keys.