How do you handle 2FA?

I use Authy. Find the security good enough.<p>As for internet access on the device, shouldn&#x27;t be a problem for any site that uses TOTP. However I can&#x27;t imagine a situation where the phone wouldn&#x27;t have access, but I&#x27;d be accessing a resource where authentication is an issue.

The questions you are asking are the wrong questions. Which is typical of people unfamiliar.<p>Deploying 2FA is easy. There are recipes. Anyone can do it.<p>The hard part is account recovery. Expected to spend 85% or more of your time on that aspect. You may not even arrive at a solution you are happy with, just one that is least bad.<p>&gt;I am ideating on a 2FA method using cryptography where the user will not need internet on his phone.<p>Done over and over again. You are doing nothing useful. Account recovery is where some magic is worth doing.

So first off, TOTP and similar already solve the &quot;phone is present but offline&quot; issue.<p>But even if it didn&#x27;t - how on earth is this meant to work? I&#x27;m somewhere that has no cell service, not connected to wifi, and need to login to something on a public computer..<p>Ok so with TOTP I just get the 6 digit code my phone generated, and type it into the input on the public computer, the site confirms its the expected OTP and I&#x27;m in.<p>How does this work with a QR code? The phone generates a QR code... How does that help me login on the other device? You&#x27;re assuming the other device will (a) have a webcam and (b) have reasonably easy access to capture an image via it and upload it via the browser...

Authenticator apps that use TOTP (all of them) don’t need an internet connection. The auth codes are time-based and generated on the device, online or offline.<p>I use authenticator app or hardware key if supported. Adding TOTP 2FA to a web site is easy.

We use 1password at work. It&#x27;s fantastic, never had issues. The GUI is really nice (on MacOS where I use it at least). The CLI is also nice for pushing secrets into scripts.

SMS is better than no 2FA at all, but is the weakest choice. Avoid if possible, unless it is your only choice, in which case, it&#x27;s still better than nothing.<p>Authenticator app, hardware token (e.g. Yubikey), or email will usually be a question of which ones are supported by the service you are 2FA-ing into, You usually don&#x27;t get a choice, so use what they offer.<p>Phone-based 2FA and lack of network is only a problem if you are using SMS push, and have no data service on the phone. But in that case, what system are you using to access the service? Can that machine hot-spot, or can your phone share its network connection? In practice, I&#x27;ve never seen a case where you have network connectivity to talk to a service, but not phone connectivity to get your SMS 2FA. So I&#x27;d say &quot;not a frequent problem&quot;.<p>Given my choice (assuming all are supported) my order of preference would be: 1) Hardware token (e.g. Yubikey), 2) Authenticator App, 3) email, 4) SMS<p>Tokens are portable, can move between machines, have nothing to remember, and are easy to use.<p>Apps are running on some device, so still a true second factor (something you have) - and again, have nothing to remember, and can be secured with biometrics.<p>Email - now you are on two different things you know (not really a second factor), and you have to access your email on some potentially untrusted device, just to get the code, potentially now compromising your email. It&#x27;s one more basket that if someone gets access to, they can probably reset your other service passwords for total account takeover. Still better than no 2FA, but higher friction to use and access, and not really a second factor.<p>SMS - it&#x27;s just too easy for SIM swap attacks, and good social engineering to phish SMS codes. &quot;Hi, this is $BANKNAME - we saw some suspicious activity on your account, so we are going to send a one-time code to you now. Please enter it back to us here to verify your identity&quot; (scammer then uses your stolen password, tries to log in, real bank sends you real code, which you now are tricked into sending to scammer to complete their login as you).

&gt; A QR code will be generated on the phone for each login attempt. The website&#x2F;app where the user is logging in will scan that QR code<p>I don’t have a camera on my desktop computer, and I think I am far from alone in that.

Have you looked at FIDO? Sounds like you are solving a similar problem to them: <a href="https:&#x2F;&#x2F;fidoalliance.org&#x2F;fido2&#x2F;" rel="nofollow">https:&#x2F;&#x2F;fidoalliance.org&#x2F;fido2&#x2F;</a> (though that is more about a different, more secure first factor).<p>I think the bigger issue with 2FA is not the security of the various methods (though there are some concerns with SIM hijacking for high value accounts, for sure).<p>It&#x27;s twofold:<p><pre><code> * companies choosing to implement it * UX for users using it </code></pre> For the first, companies have to choose which MFA methods to allow. For typical consumer facing companies I have seen email, voice, and text. For more technical companies, TOTP is pretty common. But in all cases, the company has to spend time and energy to implement this. Login security is a feature, but not a super differentiating one. I do think some of the breaches and government mandates will help, but make sure you tell companies you do business with that you want MFA!<p>There&#x27;s definitely an adoption barrier to TOTP, which plays into the second issue. TOTP is a lot to ask a non technical person to use. It really is.<p>I have written more about MFA for developers here: <a href="https:&#x2F;&#x2F;fusionauth.io&#x2F;learn&#x2F;expert-advice&#x2F;authentication&#x2F;multi-factor-authentication&#x2F;" rel="nofollow">https:&#x2F;&#x2F;fusionauth.io&#x2F;learn&#x2F;expert-advice&#x2F;authentication&#x2F;mul...</a> (full disclosure, this is an article hosted by my employer that I was paid to write).

&gt; What problems do you face with whatever 2FA you use?<p>Ease of migration. I&#x27;m currently migrating away from Authy to Aegis. This experience in Aegis is simple because it can import and export the data.<p>I use gauth [0] on my laptop since there&#x27;s no Aegis desktop client. This requires adding any new 2FA accounts to both Aegis and gauth at the same time, meaning I need both devices with me. I&#x27;ve not yet tried to export from Aegis and add to gauth separately later, but I&#x27;m hoping that will be okay.<p>&gt; A QR code will be generated on the phone for each login attempt. The website&#x2F;app where the user is logging in will scan that QR code<p>Not sure I understand. How will a website be able to scan my phone&#x27;s screen?

As a user, I like having the choice and as a security conscious person, I nearly always choose authenticator app.

I use KeePassXC with TOTPs. That way, my 2FA is backed up with my passwords and is portable.

I complain to anyone offering SMS 2FA.<p>&gt; PS - I am ideating on a 2FA method using cryptography where the user will not need internet on his phone.<p>If the user needs to be loggedin somewhere, they must be online. So it&#x27;s safe to assume their phone has a connection too.

I now use 1Password after getting seriously inconvenience when my phone suddenly died and I had no chance to export tokens from the Authenticator app.<p>I only use SMS when a service doesn&#x27;t offer an alternative.

Webauthn. Do not ever, ever use SMS or phone. If a user has a more secure method like webauthn, do not ever allow SMS&#x2F;phone to be able to reset or override it.

I have many services using 2fa to login. Now the list in the authenticator app is too long.