MFA - Multi-factor Authentication
You should enable multiple authentication factors wherever feasible.
Methods, in roughly preferred order for security strength:
- Security keys
- TOTP / HOTP
- Works offline, but still vulnerable to phishing - and can be lost if phone is lost
- OneLogin's description of TOTP vs HOTP
- Apps to store TOTP codes:
- YubiKeys also support a unique OTP that predates U2F/WebAuthn.
- The YubiKey presents to the OS as a keyboard, and a long string of characters are sent directly to the system
- Some older integrations only support this "YubiKey OTP"
- Requires Internet access - and can also still be phished
- Ideally, itself protected in turn by "harder" factors.
- Providers known to support strong MFA include:
- Can work without Internet access but requires phone connectivity - and still vulnerable to phishing
- Still better than no second factor at all
- Depending on your threat model, disclosing phone numbers to companies is itself a security/correlation/metadata risk (unless the service already knows your phone number)
For people in the Google ecosystem, I also strongly recommend their
Advanced Protection Program.
This enables additional enforcement, but be aware that you should have multiple keys enabled, to reduce the chances that you will lose access to all keys.