💾 Archived View for nicholasjohnson.ch › 2022 › 08 › 05 › comparing-multi-factor-authentication-meth… captured on 2024-03-21 at 15:22:36. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-11-04)

➡️ Next capture (2024-05-12)

🚧 View Differences

-=-=-=-=-=-=-

 _  _ _    _        _              _     _                      
| \| (_)__| |_  ___| |__ _ ___  _ | |___| |_  _ _  ___ ___ _ _  
| .` | / _| ' \/ _ \ / _` (_-< | || / _ \ ' \| ' \(_-</ _ \ ' \ 
|_|\_|_\__|_||_\___/_\__,_/__/  \__/\___/_||_|_||_/__/\___/_||_|

🔗 Return to homepage

📆 August 5, 2022 | ⏱️ 2 minutes read | 🏷️ computing

Comparing Multi-Factor Authentication Methods

I made a nice little chart comparing multi-factor authentication¹ methods from a user standpoint. Despite some of the information in the chart being slightly subjective and depending on one's threat model, I still think it's useful. So here it is:

Multi-Factor Authentication Chart

+----------------+----------------+-----------------+-------------+--------------+----------------+-------------+-------------------+
| Authentication |   Risk-Based   |    Biometric    | Email Token |   Hardware   |    Security    |  Text Codes |     Time-Based    |
|     Methods    |                |                 |             | Security Key |    Questions   |             | One-Time Password |
+----------------+----------------+-----------------+-------------+--------------+----------------+-------------+-------------------+
|    Security    |     strong     |      strong     |     fair    |    strong    |      weak      |     weak    |       strong      |
+----------------+----------------+-----------------+-------------+--------------+----------------+-------------+-------------------+
|  Personal Data |    behavior    |   fingerprint,  |    email    |     none     |  personal life |    phone    |        none       |
|    Exposure    |    patterns,   |    signature,   |   address   |              |     details    |    number   |                   |
|                |  device info,  |    iris scan,   |             |              |                |             |                   |
|                |  access time,  |       etc.      |             |              |                |             |                   |
|                | location, etc. |                 |             |              |                |             |                   |
+----------------+----------------+-----------------+-------------+--------------+----------------+-------------+-------------------+
|    Pitfalls    |    can block   |  can be stolen  |    can be   | easy to lose |     can be     |    can be   |  must be updated  |
|                |   user access  |    or legally   | intercepted |              |   discovered   | intercepted |   if the online   |
|                |   by accident  |    coerced by   |  in transit |              | by information |   via SIM   |     service is    |
|                |                | law enforcement |             |              |    gathering   |   swapping  |    compromised    |
+----------------+----------------+-----------------+-------------+--------------+----------------+-------------+-------------------+

Conclusion

In terms of security, any of these options is better than nothing. But if you want maximum security with the least personal data exposure, just go with hardware security keys or time-based one-time passwords. Other authentication methods are either not very secure or they collect personal information.

References

🔗 [1]: multi-factor authentication

Copyright 2020-2024 Nicholas Johnson. CC BY-SA 4.0.