2023-09-06
What I understand about two-factor/multi-factor authentication (in 2023)
I am broadly a MFA (Multi-Factor Authentication) skeptic (cf) and as a result I don't have much exposure to it. For reasons beyond the scope of this entry, I've recently been needing to understand more than usual about how it works from the perspective of people using it, so here is my current understanding of your generally available non-hardware options that can be used in a desktop environment (security keys are out of scope).
There are three generally available and used approaches to MFA at the moment: SMS, time-based one time passwords (TOTP), and what I've heard called 'push-based approval' using smartphone apps. Of these, I believe that TOTP is the most popular, and a place that simply talks about 'MFA' is probably talking about TOTP MFA authentication, especially if they say they support multiple smartphone apps.
(At some point this list may include WebAuthn, but right now you mostly need a hardware security key to use it on your desktop or laptop.)
In SMS MFA, the place you're trying to log in to sends a SMS message to your phone number with a code that you have to enter (sometimes you can also get the code emailed to you). Websites vary on whether you can enroll more than one phone number for these messages. SMS MFA is considered insecure, partly because it's generally not that difficult to get someone's number 'ported' to a new device under your control, at which point you get their SMS messages. On the other hand, SMS is easy for people to start using, because practically everyone can already receive text messages.
In push-based approval, a special app on your phone gets push notifications of pending logins and asks you whether or not you approve them. With some hand waving, this is pretty secure, as it requires possession of your phone in an unlocked state and perhaps unlocking the app itself. An attacker can't step into the middle to impersonate your phone (or the app on it) the way they can with SMS and ported numbers. Again, websites and companies vary on whether you can enroll multiple devices for push based approvals. One current drawback of push based approvals is that there is no standard protocol for this, so each provider of this service has their own custom app (and, of course, you have to trust their app to not be scraping your phone for every bit of marketable information it can extract).
The third option is TOTP. In TOTP the website and you share a common secret code (often provided as a QR code) and you use a standard public algorithm to combine this secret with the current time to generate a numeric code. If you give the server the right code, the server 'knows' that you know the shared secret at this time (well, within a time window). Unlike push based approvals, there's no explicit communication between any server and the TOTP app on your phone; the app is a standalone, isolated thing. Because the algorithm is standard and public, it's been implemented by many different smartphone apps and those apps aren't tied to the website or provider they're from; any proper TOTP app can do TOTP with any proper TOTP website (or other server).
Looked at from a suitable angle, TOTP is really a second password (the shared secret) with a weird way of proving to the server that you know this password. It is 'Multi-Factor Authentication' partly because you're normally supposed to use another device to generate the TOTP code, not your desktop or laptop, and partly because you don't memorize the TOTP secret, you store it somewhere. If you're logging in on your smartphone in the first place, TOTP's MFAness boils down to 'your physical phone is what knows the TOTP secret, not you', so only someone in possession of your phone (in an unlocked state) can get at it.
TOTP is a popular way of doing MFA, perhaps the most popular right now, and it's not hard to see why. It's more secure than SMS and doesn't require the website to find (and pay) a SMS provider, and while it's probably less secure than push based approval, it doesn't require a bespoke mobile application along with a push notification backend cloud server setup. There are plenty of client applications for people with smartphones to chose and as I understand it, the server support is relatively widely available in open source libraries.
(There are some TOTP desktop applications, but I think your choices aren't as broad or as polished as on phones. On the other hand, you can get them even on Linux.)
Websites using TOTP MFA may allow you to enroll multiple devices, each with their own TOTP secret code. However, even if they don't explicitly offer this option, there is nothing stopping you from loading the same TOTP secret code into multiple TOTP apps on multiple devices, or even directly saving the TOTP secret code so that you can later feed it into whatever you want. Websites often ask you not to do this (and especially tell you to throw away the initial TOTP secret code or QR code, not keep it anywhere people can find it), but they can't force you and they can't tell if you're doing this because there's no explicit communication between them and your TOTP app the way there is with push based approval.
(The advantage of enrolling multiple devices with separate TOTP secret codes is that you can hopefully revoke just one device's TOTP secret code if something goes wrong. If everyone has the same code, everyone has a flag day if it has to be revoked and redone. You might also get better auditing.)
This means that if for some reason you have to add MFA to a shared administrative account on some website, you're generally best off if the website supports TOTP MFA authentication. You can probably get TOTP clients for any environment the relevant people use and load the TOTP secret code into all of them, enabling each person to MFA to the website as the shared account. You can probably even print out the QR code the website generates for you, fold it up, and seal it in a 'break glass in case of emergency' envelope in your password safe.
(Each TOTP app knows the TOTP secret code that's encoded in the original QR code, but they may well not support any way of giving it back to you, especially in usable form, partly because that's a security exposure.)