Everyone should be using multifactor authentication (MFA) to further secure their online accounts - especially accounts deemed crucial, such as email and bank accounts. Stronger forms of MFA, which involve using an authenticator app or a hardware key, provide an enhanced layer of protection from account takeovers.

Preface

Note: MFA options recommended in this post are divided into "hardware keys" and "software authenticators."

In an ideal world, users would always use secure physical keys as a form of MFA when signing into devices, webapps, or web services due to their phishing-resistant capabilities. However, real-world limitations, such as support for hardware keys, do exist.

Not all software authenticators are built the same and ideally, users would avoid Google Authenticator, Microsoft Authenticator, and Authy. These authenticators make it difficult to switch to anothe and often have invasive trackers/analytics embedded in their source code - which is closed-source.

At minimum, users are highly encouraged to ditch Authy - and not just because of the Twilio breach compromising Authy codes. Rather, Authy does not allow exportation of existing codes/tokens. Therefore, the more accounts used with Authy, the harder it is/longer it takes to effectively migrate to another solution.

Additionally, Twilio rather abruptly discontinued supporting the desktop version of Authy in March 2024, which was a large "selling point" of the software many users found useful. Some of the authenticators listed here support access on the desktop (typically by using a browser).

Physical keys

Physical keys offer superior secure MFA capabilities.

Generally, physical security keys can use multiple forms of authentication; most commonly, physical keys support Hash/HMAC (based) One Time Password (HOTP) and TOTP for authentication. Physical keys also support U2F and the FIDO2 standard, which can prove resistant to phishing attacks.

Nitrokey

Nitrokey is a physical security key based on open-source firmware and software. Firmware installed on the Nitrokey can be exported and subsequently verified. The device is secured with a PIN and is resistant to brute force attacks.

Outside of MFA, Nitrokey has a few uses for enhanced security relevant to privacy and cybersecurity conscious users:

• PGP key storage; sign and encrypt emails
• Encrypted mobile storage
• “Hidden” encrypted storage (just as it sounds)

The Nitrokey hardware functions independently of operating systems, providing resistance to theft, loss, malware, and phishing campaigns.

There are a few Nitrokey models available - each key comes with different features. Most users should find the Nitrokey FIDO2 satisfactory for most authentication applications. However, users are encouraged to view the Nitrokey comparison chart to make an informed decision about which model fits best for their use.

Yubikey

Note: The firmware for the Yubikey is closed-source software. Additionally, the firmware for Yubikeys cannot be updated.

Where possible, avoidthehack tries not to recommend closed-source solutions, but Yubikey has a solid reputation and is a "de-facto" for hardware keys. As of writing, it’s also the most popular physical key. Fortunately, Yubico’s clients are open source whereas the firmware is closed-source.

There are a few YubiKey models available. Different models include different features, similar to NitroKey models. Users are encouraged to review Yubico’s comparison chart to find the model that suits their needs best.

However, for most users, the SECURITY KEY SERIES and the YUBIKEY 5 SERIES should prove sufficient for most applications.

Librem Key

Like the Nitrokey, the Librem key is based on open-source firmware. Unlike the Nitrokey and Yubikey, the Librem Key offerings are vastly simplified into one product model - though it is important to note the Librem Key is indeed manufactured by Nitrokey.

Purism claims the Librem key has "20+ years" of storage time and is the same size as the average thumb drive. For basics, this hardware key can store up to 4096-bit RSA keys and up to 512-bit ECC keys.

The Librem Key can integrate with Heads to detect BIOS-level tampering on Linux-based machines (Windows has its own boot integrity check). It also has a limited password manager storage (up to 16 entries), HOTP and TOTP token storage, and can store GPG keys.

Software authenticators

Software-based authenticators primarily use Time-based One Time Passwords (TOTP) for authentication. They tend to be more convenient while still offering a relative high degree of secure authentication, though they are not immune to some sophisticated phishing attacks.

Generally, software-based authenticators are designed for use on mobile devices.

2FAS

2FAS is an open-source software authenticator. No account is required for use.

2FAS can automatically sync backups of codes to the cloud (depends on the device, for example, Apple devices will automatically sync to iCloud).

2FAS is available for iOS and Android devices. Though there is no official web version (nor desktop apps), 2FAS has a browser extension for both Chromium and Gecko browsers; the browser extension syncs after pairing with the mobile device.

2FAS does not store passwords or associated metadata and works offline.

Ente Auth

Ente Auth is an open-source software authenticator built by the same core developers behind ente.io. Unlike ente’s paid encrypted photo storage service, ente Auth is free.

Tokens/Secrets are end-to-end encrypted and stored using ente’s infrastructure. While ente uses third-party cloud providers as part of their infrastructure, data stored is encrypted without the cloud provider having access to the decryption keys.

Ente Auth is available for iOS and Android devices.

A web version is available for viewing secrets, which is accessible from any internet enabled device; this aspect could make ente Auth a more viable option for users who want more availability from a MFA/2FA authenticator app - especially if their mobile device is lost, stolen, or otherwise not available.

Aegis Authenticator

Aegis Authenticator is a secure and open-source authenticator.

One-time passwords are stored in an encrypted vault, where users have the option to set a password or encrypt the vault with biometrics (if supported by the device.)

Aegis Authenticator supports exporting codes and can be configured to automatically backup codes to a trusted cloud solution, such as Nextcloud.

Aegis Authenticator is only available for Android and is available on both the Google Play Store and F-Droid.

Bitwarden Premium

In addition to being a free, open-source, and feature-packed password manager, the premium version of Bitwarden - Bitwarden Premium - offers Bitwarden Authenticator alongside the traditional password manager.

The Bitwarden Authenticator is included in the password manager itself and can handle TOTP-based 2FA authentication just like other dedicated software authenticators. Bitwarden Authenticator paired with the Bitwarden password manager makes managing passwords and TOTP codes simple.

Proton Pass Plus

Proton Pass is another free, open-source, and feature-packed password manager. The "Plus" version of Proton Pass includes an integrated TOTP authenticator. This integrated authenticator can handle TOTP-based 2FA authentication just like other dedicated software authenticators.

Note regarding authenticators built into password managers

It's worth noting authenticators integrated with password managers come with a slightly elevated risk due to passwords and TOTP codes being stored in one place.

In the event a user’s vault is compromised, then this technically creates a bigger single point of failure - not only do the passwords become compromised, but so do the TOTP secrets.

To alleviate this risk, users should ensure:

• The master password to their password manager vault is strong and unique.
  • This should ideally be a passphrase.
  • If feasible, this password shouldn’t be written down anywhere else - at minimum, the master password shouldn't be stored on the devices with the password manager installed.
• Ensure password manager recovery codes are stored in a secure location.
• Consider using a hardware key as a second factor when signing into the password vault.

Criteria for multifactor authenticators/hardware keys

For hardware keys

Support strong authentication standards

Hardware keys listed here should support FIDO U2F and FIDO2.

Have open-source clients

Clients used to interact/manage hardware keys listed here should be open-source to promote transparency and leverage the global community to identify flaws/weaknesses. Ideally, the firmware of the key would also be open-source, but open-source firmware isn't a strict requirement.

Be tamper resistant

Tamper-resistant keys provide enhanced protection from situations where the host machine is compromised and makes cloning the hardware key itself exceedingly harder than it currently is.

Longevity

Hardware keys listed here should be well-made enough to stand up to normal wear and tear, where users can get reliable years out of them. Specifically, the USB part of the key should be capable of withstanding normal wear and tear associated with being plugged into and removed from devices consistently.

For Software Authenticators

Be open-source

Open-source solutions promote transparency.

No trackers embedded in software

Software authenticators listed here should have no tracking mechanisms/trackers embedded into software.

Allow exporting of codes

Software authenticators should allow easy exporting of TOTP codes/tokens. This helps ensure users are not trapped into a specific authenticator, as is the problem with closed-source authenticators like Authy.

Importing codes functionality

To make switching from other authenticators easier for end users, software authenticators recommended here must allow importing codes.

Final thoughts

Secure multifactor authentication helps stop malicious account takeovers; it is actually a recommended "basic" to improve any given user's personal cybersecurity posture.

Users should keep their method of secure multifactor authentication secure. For physical keys, this could include storing the key in a safe place where it would not easily get lost. For software authenticators, this can include ensuring the device where the authenticators “live” is secure and resistant to compromise.

Remember - store backups encrypted and in a safe location! If the safe location is offline, then make sure the storage location is physically secured and a place you have primary access to.

With that said, stay safe out there!