What is the most secure 2FA method?

I’ve been trying to improve my online accounts’ security and privacy as of late, and one major action I’m able to do for the former is setting up two-factor-authentication on as many accounts of mine as possible. I feel like even my randomized and special character containing 20 character passwords are still somewhat vulnerable to cracking or leakage. Why shouldn’t I be more secure when I’m quite easily able to? Now, there are 7 ways I’m able to approach 2FA:

1. Scan QR codes or add TOTP secret keys to a local accountless app on my phone
2. Scan QR codes or add TOTP secret keys to a cloud-synced via account app on my phone
3. Scan QR codes or add TOTP secret keys to the respective login in my password manager
4. Add my phone number and have temporary SMS codes sent to it (imagine this is struck out)
5. Save a passkey in my password manager
6. Save a passkey on a physical device (very uneducated on how this works)
7. Ignore 2FA altogether and set 100 character random passwords (basically un-brute-forceable?)

I’ve already learned via Privacy Guides (as well as other sources) that SMS are unencrypted and can be intercepted through the one or multiple cell providers that they go through. I currently have a bunch of my online accounts set up to receive SMS codes as an additional way to 2FA, but I’ll work on removing those less secure options.

Methods 1-3 seem relatively similar in security to me, although each following one slightly less secure than the last. Conveniently, my password manager (protected by not one, but two passwords, one of which I don’t have saved anywhere except physically written down at home) offers a way to add and generate TOTP codes for each login. Additionally, they appear as pop-ups on desktop and notifications on mobile, both of which appear when I’m presented with a 2FA challenge during the login process and let me quickly see and copy the code. I’ve moved all my code generation to my recently acquired new password manager as it is a lot more convenient to not have to open a separate mobile-only app on my phone, but that could be less secure than the latter less convenient way.

TOTP codes saved locally on my phone feel more secure than those saved on my phone but synced via an account and/or iCloud. PS. I should probably save the backup codes either physically printed or saved in a secure cloud storage rather than as notes/file attachments in my main password manager, right?

By the way, are Google Authenticator and Microsoft Authenticator apps on mobile good tools to do that? I really don’t trust either corporation at all, but my accounts on them are quite secure (besides currently allowing 2FA through SMS on them).

Passkeys seem like a relatively new security feature that have been more and more widely adopted, but I’m not well-informed on how they work, and they feel less secure than TOTP codes to me. I’ve been instinctively adding them (before starting my new security improvement journey) to every account I had that allowed it, but you’re telling me I can input my e-mail address and then submit the website the saved passkey and skip any password and 2FA input? Seems quite suspicious and vulnerable to me. Although less so if they were saved on some physical device in my possession, like a USB stick, although I’d have to find one compatible with my PC, my phone, and my tablet (not all of them have USB-C connectivity).

What would you say is the most secure and/or most recommended by you way of approaching two-factor-authentication of online accounts? I might be reaching paranoid levels of overthinking, cause my threat model level isn’t very high, but I wish to be more informed and generally make the best decisions for my online security. A simple ranking would suffice as an answer, but I’d be most grateful if you could also explain to me the strengths and weaknesses of each 2FA method as well as answer the various questions I have on the topic, such as whether it makes a difference what TOTP app I use or if I sync by TOTP codes across devices or only generate them on my phone.

In full disclosure, I haven’t read your full post but only your title

You don’t need to be this paranoid for any reason

Simply use your password managers 2FA feature or Ente Auth.

It’s not that complicated.

If you’re setting up Passkeys like this, it isn’t 2FA. It’s more secure 1FA than passwords, but it is still 1FA.

If you set up Passkeys or hardware keys as 2FA, then it is more secure than TOTP.

In terms of theoretical security:

Password + Passkey (2FA) > Password + TOTP (2FA) > Passkey (1FA) >> Password (1FA)

In terms of phishing protection (more relevant for most people):

Password + Passkey (2FA) > Passkey (1FA) >> Password + TOTP (2FA) > Password (1FA)

(“Passkey” above simply refers to any WebAuthn credential because different companies define “passkey” differently)

Edit: When I say “Passkey (1FA)” above that assumes the passkey is not set up as 2FA on its own (see below). If your Passkey is configured to always require a PIN or biometrics, then it is at least equivalent to “Password + Passkey (2FA)” in my ranking above, not worse.

Thank you for your clarification and ranking!

I’ve mentioned 1FA passkeys as I’ve seen some services allow passkeys as a replacement for password + 2FA via TOTP/SMS, most prominently Google.

google-login-screen-obfuscated1587×672 41.7 KB

It seems like I should aim to replace TOTP codes in favor of passkeys whenever I’m able to add both for 2FA, otherwise to use TOTP codes instead of only having a password.

For my own clarification, if the passkey is behind a PIN, is that 2FA? For the passkeys on my Yubikey I need to enter a PIN (something I know) before unlocking the passkey (something I have).

That Yubikey PIN is used for your Yubikey, not your account. Therefore, it shouldn’t be considered 2FA.

Another example would be unlocking your phone to view your TOTP code or use your passkey. If they are your only method of authentication, it would still be 1FA even if the phone is protected by a pin.

In the case of Yubikey (which are guaranteed to never be cloned) I would agree that it is 2FA, if the PIN is required for every use.

Software passkeys are in a decrypted state or backed up in various ways too often to rely on this.

In terms of theoretical security
In terms of phishing protection

I don’t think these should be separated this way as phishing protection is part of security.

I’m not sure I agree with this. If I can create an account with just a passkey alone, it removes any worries about the effect of potential data breaches that is a real concern when using passwords. The authentication itself would also become more secure when passwords are removed from the process.

In the future (although 1Password has this currently in the beta) I could create a password manager account with just a YubiKey and its device-bound passkey because of the WebAuthn PRF extension. I would say that this will always be more secure than coming up with a secure passphrase on my own that could get brute-forced if the password manager ever got breached. So, this is why using passkeys just for 2FA is not good enough and should be extended to encryption as well.

Why would you rate these setups this way? Any password could always get phished compared to just a single passkey.

A password offers no phishing resistance. A password + passkey is therefore just as phishing resistant as simply using a passkey.

This simply isn’t true and even if it was it’s still only considered a single factor. EUCLEAK - YubiKey 5 can be cloned in a matter of minutes

This is FUD. Passkeys are MFA, not 1FA. Factors are not counted as the number of items you have to provide for access, but in terms of the type of items you have to provide for access.

The entire comparison seems to lack understanding about passkeys. Passkeys + password makes no sense unless you are referring to a pin you type to release the passkey on device. Passkey is objectively better than password + totp since there is no shared secret. Password+Totp is better than password only if you reuse password, otherwise both are similarly bad in terms of leaks from provider database and phishing.

This has very “vibe based security” feeling to it.

Promised to be not the same. Not guaranteed. Relevant for people who have supply chain attacks or malicious yubico in threat model.

Depends on how the Passkey is secured. If it’s just something you have, then that is one factor. If it’s something you have + something you know (PIN/password) or something you are (biometrics) then it’s 2FA, like I said above.

It can never just be “something you have”, since it always has “something you know” (the public private key). The spec is very clear. Anything following the spec is MFA, anything not following the spec is not passkey.

If you use a Yubikey as a passkey and the website does not require a PIN, then it is just something you have. Because if someone else has the YubiKey, they can access your account.

A roaming authenticator that is discoverable credential capable but not multi-factor capable can be used for single-factor authentication without a username, where the user is automatically identified by the user handle and possession of the credential private key is used as the only authentication factor. This can be useful in some situations, but makes the user particularly vulnerable to theft of the authenticator.

We refer to authenticators that are part of the client device as platform authenticators, while those that are reachable via cross-platform transport protocols are referred to as roaming authenticators.

The device based passkeys are by definition MFA. Roaming authenticators are transport protocols for sharing passkeys with other devices, they are an addendum. This is creating confusion between passkey stored in a KeePass database and the KeePass database itself.

It was a long discussion during their YouTube presentation too, and roaming authenticators still lack wide consensus. See Apple on attestation of passkeys on non corpo devices.

As far as I know there is no definition that “passkey” must refer to platform authenticators exclusively.

Using a roaming authenticator (Yubikey) for passwordless authentication is in fact a fairly common use-case.

Yubikey is not a roaming authenticator. You own (something you have) a key and it knows your public private key (something you know), still MFA.

This is similar to confusion between E2EE meaning end devices instead of user to user as popularly understood. Roaming authenticator does not mean portable. Yubikey cannot export keys.

You should research this further.

Roaming authenticators, sometimes referred to as cross-platform or external authenticators, refer to those that are not tied to any one particular platform but can be used to authenticate across multiple devices. The quintessential example is a hardware security key, such as the YubiKey.

If it knows it, and you don’t know it, it is not something you know, so it is not a second factor. You can easily demonstrate this by: being in possession of and trivially using someone else’s Yubikey, like I said.

It is something you have, because you have the object that knows the private key.

Yubico is not the defining authority. This is what W3C says:

Some platform authenticators could possibly also act as roaming authenticators depending on context. For example, a platform authenticator integrated into a mobile device could make itself available as a roaming authenticator via Bluetooth. In this case clients running on the mobile device would recognise the authenticator as a platform authenticator, while clients running on a different client device and communicating with the same authenticator via Bluetooth would recognize it as a roaming authenticator.

Yubikey is a platform authenticator which can act as a transport layer for using those credentials across devices. The key itself is a platform caged authenticator.

No, you knowing something via memorization is not the requirement. Something you know can also be a long key you have access to, but still do not actually know. The “something you know” is not for “something I can physically recall and type somehow”, but for a secret you have access to.

That definition is clearly not describing a Yubikey. You said:

There is no definition where this could ever be true, because a Yubikey is not a client device (see spec for definition of client device).

a roaming authenticator (e.g., a USB security key fob)

You are incorrect. multi-factor authentication - Glossary | CSRC

Sure.