Two Factor Authentication: Biometrics vs Alternatives

TL;DR

This guide compares biometric two factor authentication (2FA) with other methods like authenticator apps, SMS codes, and security keys. We’ll cover how they work, their strengths and weaknesses, and help you choose the best option for your needs.

1. Understanding Two Factor Authentication

Two Factor Authentication adds an extra layer of security to your accounts beyond just a password. It requires something you *know* (your password) and something you *have* or *are* – hence, ‘two factors’.

2. Biometric 2FA: How it Works

Biometric authentication uses unique biological traits to verify your identity. Common types include:

• Fingerprint Scanning: Uses a fingerprint reader on your device.
• Facial Recognition: Maps and recognises your face using your device’s camera.
• Voice Recognition: Identifies you by the characteristics of your voice.

These methods typically integrate with platform-specific security features (e.g., Apple Face ID, Android fingerprint unlock) or dedicated biometric authentication apps.

3. Other 2FA Methods

• Authenticator Apps: Generate time-based one-time passwords (TOTP). Examples include Google Authenticator, Authy, and Microsoft Authenticator.
• SMS Codes: Send a code to your mobile phone via text message.
• Security Keys: Physical USB devices that require physical insertion or tapping for authentication (e.g., YubiKey).

4. Comparing the Options

1. Security:
   • Biometric: Generally very secure, but vulnerable to spoofing (though increasingly difficult with advanced sensors) and privacy concerns regarding data storage.
   • Authenticator Apps: Highly secure; less susceptible to phishing than SMS codes.
   • SMS Codes: Least secure due to SIM swapping attacks and interception vulnerabilities. Not recommended as a primary 2FA method.
   • Security Keys: Considered the most secure option, resistant to phishing and man-in-the-middle attacks.
2. Convenience:
   • Biometric: Very convenient if supported by your device; quick and easy to use.
   • Authenticator Apps: Convenient, but requires app installation and setup.
   • SMS Codes: Easy to use initially, but can be slow and unreliable (delivery issues).
   • Security Keys: Less convenient than other methods; requires carrying a physical device.
3. Cost:
   • Biometric: Usually free, as it relies on built-in device features.
   • Authenticator Apps: Free.
   • SMS Codes: May incur standard text message charges (rare).
   • Security Keys: Cost of the key itself (£20 – £50+).

5. Setting up Authenticator Apps

Most websites and services support TOTP via QR code scanning.

1. Download and install an authenticator app (e.g., Google Authenticator).
2. Enable 2FA on the website/service you want to protect.
3. Scan the provided QR code with your authenticator app.
4. Enter the generated code from the app into the website/service to verify setup.
   Example of scanning a QR Code using Google Authenticator:
5. Save the recovery codes provided by the website/service in a safe place!

6. Choosing the Right Method

• High Security Needs (e.g., financial accounts): Security Key + Authenticator App
• Good Balance of Security and Convenience: Authenticator App
• Basic Protection (where other options aren’t available): Biometric 2FA (if trusted)
• Avoid: SMS Codes as a primary 2FA method.

7. Important Considerations

• Recovery Codes: Always save your recovery codes in a secure location. These are essential for regaining access to your account if you lose your 2FA device.
• Multiple Accounts: Use different 2FA methods for different accounts where possible, diversifying your security.
• cyber security Best Practices: Keep your devices and apps updated with the latest security patches. Be wary of phishing attempts.