I'm looking for the best approach to online authentication for myself and feeling a bit overwhelmed. Currently, I use a password manager (Bitwarden) with unique passwords for all my accounts, Google Authenticator for two-factor authentication (2FA) on important accounts, and I keep SMS backup codes where required. However, I keep reading that there are vulnerabilities in my setup. For instance, SMS can be compromised through SIM swapping, authenticator apps can be at risk if someone steals my phone, and relying on a password manager poses a single point of failure.
I want to know if hardware keys, like YubiKey, are really the best option out there or if there's something even better now. I'm also intrigued by biometric verification—Apple's Face ID, Windows Hello with fingerprints, and even some iris scanning technologies. While the biometric approach seems appealing because it can't be easily stolen or phished, I'm concerned about the security of my biometric data. What if that data is compromised?
So, I'm curious—between hardware keys and biometrics, which are better for everyday security? Is it wise to combine methods like a hardware key with biometric options, or would that be overkill? I'm not looking for military-level security, just a reasonable level of safety for things like banking, email, and social media without complicating my life too much. Also, are there any authentication methods I should definitely avoid? I understand that SMS-only 2FA isn't great, but is it still better than nothing? I'd really appreciate insights from those who have a better grasp of this than the typical tech articles that often seem more like marketing than information. Thanks!
5 Answers
Your current setup is pretty solid! If your phone gets lost or stolen, you can wipe it remotely through your Google or Apple account. Just ensure you’re using a strong PIN and stick to your passwords and MFA apps. Most people don’t need ultra-high security as long as they practice safe habits online. If you do stick with SMS, just use it as a last resort; it's definitely better to use app-based 2FA when possible!
Exactly, and be cautious about permissions on your phone as well!
For most people, using a password manager along with app-based multi-factor authentication (like Google Authenticator or Authy) is more than enough security. If you're worried about losing your phone, just make sure to set a strong PIN on your authenticator app. While someone's phone could theoretically be stolen and hacked, it's really more likely that a phisher would trick you into giving them your one-time code! Also, keep those backup codes safe; printing them out and hiding them works pretty well in case of emergencies.
Good point! Plus, physical attacks like that are rare—most hackers are trying to remote in or exploit your habits.
Definitely! Be smart online and stay away from sketchy apps.
If you can, go for passkeys—they’re super convenient and secure since they store your credentials on the device and use biometrics to unlock them. It’s the best of both worlds without the risk of sharing biometric data with third-party services. If you can't get passkeys, stick with a password manager and real-time 2FA whenever it's available.
I stick to KeePass for my passwords, stored on Google Drive for easy access across devices. I also keep a keyfile separate from the cloud to add an extra layer of security. So if someone hacks Google but doesn’t have my keyfile, they’re out of luck! I use Google Authenticator on both my phone and iPad as a backup, and have 2FA set up everywhere I can. Always keep unique, complex passwords and avoid letting browsers save them!
The landscape is definitely evolving! You've got passwords, SMS 2FA, authenticator apps, and now the rise of passkeys. For solid security that's future-proof, getting a YubiKey and using passkeys is a great combo. If you just want decent security, your current setup with a password manager plus auth app should work fine for most of what you do. Just remember to keep things like social media a bit simpler if you don't care as much security-wise!
Absolutely, good habits make all the difference, just be aware of common phishing schemes!