Websites-BestMFA¶
List of websites with their best MFA options.
Only for free accounts, does not include Paid/Commercial/Premium service accounts.
Does not consider the different implementations/processes of account recovery process.
Introduction¶
One fine day in 2022, bought my security token and its spare, logged in to my favorite website to start securing it. Account Settings, Security and Privacy> WAIT, where is the setting that says, add security token?
Logged in to second website, added security tokens. WAIT, where is the option to remove SMS-2FA??
WAIT! I NEED TO ENROLL IN THIS GOOGLE ADVANCED THREAD PROTECTION to use hardware keys as the only 2FA method? AND I CAN ONLY USE THUNDERBIRD AS E-MAIL CLIENT FROM HERE ONWARDS, AND SYNOLOGY CLOUD WILL STOP WORKING???
Above are the problems you may when trying to use security tokens as your main 2FA method. Since a lot of the websites yet to support security tokens as 2FA I needed to keep a list to remind myself to check them in the future. As I visited more websites, the range of 2FA/MFA options and combinations of them are totally.. unexpectedly unstandardized, and the combinations of different MFA options are as complicated as they can be to consider which would give the best security.
The realization that some websites allow MFA only with SMS-2FA enabled, or give no options to disable less secure 2FA options, and the need to have a standard rule to follow when setting up 2FA/MFA gave birth to this document.
Ranks¶
| Rank | Sub-rank | Best 2FA Options | Rank after Removing TOTP & Backup Codes |
|---|---|---|---|
| 1 | Security Tokens only, without any other weaker 2FA options | No Change | |
| 2 | a | Security Tokens, TOTP, Backup Codes | 1 |
| b | Security Tokens, E-mail, Backup Codes, Mobile Push | 2b | |
| 3 | a | TOTP and E-mail | No Change |
| b | TOTP only | No Change | |
| c | TOTP, Backup Codes | 3b | |
| d | TOTP, E-mail, Backup Codes, Mobile Push | No Change | |
| 4 | a~e | 3a~3e but 2FA is skipped when using certain SSO | No Change |
| 5 | a | TOTP, SMS-OTP | No Change |
| b | SMS-OTP only | No Change |
Ranks Explaination¶
-
General security strengths of different 2FA options, in descending order:
- Security Tokens
- Hardware-backed TOTP
- TOTP
- Backup Codes
- Mobile Push
- SMS
-
Backup codes as secondary 2FA is ranked higher than e-mail as Backup Codes can be deliberately ignored (not saved anywhere when asked during the process of setting up TOTP) to eliminate theft possibility. Since there is a small possibility that user will save this backup code somewhere as instructed when enabling TOTP potentially compromising security, websites that do not support backup code login are ranked higher.
-
For 2a and 2b, TOTP is ranked higher than e-mail code due to several reasons:
- It can be hardware-backed.
- E-mail login has more attack surface compare to Software TOTP app.
- After setup, the TOTP entry can be deliberately removed similar to backup codes.
- Most of the time the address for e-mail is the same as the account-link e-mail and not possible to be changed/removed. Even if the website supports different address for e-mail code, it can not always be deliberated removed.
-
Though slightly impractical, device that host the TOTP app can be put offline or run on a dedicated phone/PC/sandbox to avoid multi-channel attacks.
-
The difference between Rank 2 and Rank 3 is that for Rank 2, the use security tokens are able to protect against phishing/MitB attack. It should be kept in mind that security tokens shall be used whenever possible, while avoiding the use of other secondary 2FA options. Security is compromised and no better than Rank 3 if users still prefer TOTP over the use of security tokens.
-
E-mail and mobile push are ranked similarly due to both are commonly used on mobile phones, with mobile push ranked slightly higher as e-mail is usually signed on phone, PC browser and desktop client all the time which provide more attack surface.
Best Practice / General Rule¶
- This document mainly focus on website sign in using security tokens.
- Security tokens must be always used even there are other 2FA options enabled (or irremovable) to maintain upmost security.
- Hardware-backed TOTP must be always used (e.g. Yubico Authenticator) over normal TOTP (e.g. Authy, Google Authenticator).
- E-mail, recovery e-mail must be of similar sign-in security level (e.g. an Gmail address enrolled in ATP).
- Backup codes shall be removed, or stored offline (not on any form of digital device), think of it as a type of single-use security token but without the protection from phishing/MitB.
Website List¶
Table Header Abbreviations¶
Token - Security Token
TOTP - Time-based one-time password
E-Mail - E-mail Code
SMS - Short Message Service OTP
B.C. - Backup Codes
| Website | Rank | Token | TOTP | SMS | B.C. | Notes | |
|---|---|---|---|---|---|---|---|
| Amazon | 5a | O | O | No | SMS-2FA required to enable TOTP | ||
| Atlassian | 4c | O | Yes | 2FA is skipped when using Google, Microsoft, or SAML SSO | |||
| Binance.us | 3b+ | O | + | No | E-mail-2FA is required on top of TOTP for new device login | ||
| Bitwarden | 3c | O | Yes | Non-premium does not support security tokens | |||
| Coinbase | 1 | >1 | No | ||||
| Discord | 3c | O | Yes | ||||
| Docker | 3c | O | Yes | ||||
| Evernote | 3c | O | Yes | Does not ask for 2FA using Goggle SSO | |||
| 1(?) | O | Yes | Message prompt by Facebook indicates possibility to approve login from another logged in device when “Use a different method” is selected.1 To be verified. | ||||
| GitHub | 2b | >1 | O | Yes | Force enables GitHub Mobile Push-2FA if mobile app is used | ||
| GoodSync | 3b | O | No | ||||
| Google-ATP | 1 | >1 | No | Need to enroll in Advanced Thread Protection | |||
| 3d | O | Optional | Alternative 2FA using Security code from phone, mobile push 2FA | ||||
| 3c | O | Yes | |||||
| 3c | O | Yes | |||||
| LogMeIn | 3d | O | O | Yes | |||
| Mega | 2b | >1 | O | O | Yes | ||
| Microsoft | 2b | >1 | O | O | Yes | Bypasses username/password prompt when using security token | |
| Parsec | 3c | O | Yes | ||||
| PayPal | 1 | 1 | No | Only supports single security token. Only allows “Primary” 2FA method when set. Removal of recovery phone number is not possible. | |||
| 3c | O | Yes | |||||
| Synology | 5a | O | O | Yes | SMS-2FA required to enable TOTP | ||
| TradingView | 3c | O | Yes | ||||
| Twitch | 5a | O | O | No | SMS-2FA required to enable TOTP. Force integrates Authy. 2 | ||
| 1 | >1 | Yes | |||||
| Ubisoft | 5a | O | O | Yes | SMS-2FA required to enable E-mail-2FA | ||
| XDA Forums | 3c | O | Yes | ||||
| Yahoo | 3c | >1 | O | No | Requires 2 recovery emails to activate 2FA, but the second e-mail can (shall) be removed after setup. | ||
| Zoom | 3c | O | Yes |
TODO¶
- Differentiate Hardware 2FA such as U2F, UAF, FIDO2/WebAuthn
- NiceHash accepts used YubiKey OTP
-
“You’ve asked us to require a 6-digit login code when anyone tries to access your account from a new device or browser. When you receive your 6-digit code, enter it to continue:
Approve from another device
Just check your notifications in another browser or phone where you’ve logged in.” ↩ -
Authy handles all 2FA for Twitch users. When you enable 2FA on your Twitch account, an Authy account with a unique ID is automatically generated ↩