I am new to the topic and wondering if installing an offline 2FA app (which would get synchronized only once) on a smartphone can provide the same security as using hardware 2FA (such as Yubikey). I am looking for the most secure but also a practical solution.
I realize that my smartphone could be hacked, so a better option would probably be installing the 2FA app on an old Smartphone which would not be connected to any of my accounts. Would it be as safe as using Yubikey or am I missing something?
It’s great that you’re thinking about security when it comes to using 2FA. In terms of whether an offline 2FA app on a smartphone can provide the same security as a hardware 2FA key like YubiKey, it’s important to understand the differences between the two.
A hardware 2FA key like YubiKey is a physical device that generates a unique code for each authentication request. This means that even if someone steals your password, they wouldn’t be able to access your account without also having the physical key. In contrast, an offline 2FA app on a smartphone generates the code within the app itself. While it can still provide an additional layer of security, it’s not as secure as a hardware key.
However, if you take precautions like installing the app on an old smartphone that’s not connected to any accounts, it can certainly be a practical solution. Just make sure to keep the old smartphone in a secure location and take care not to lose it.
Ultimately, the choice between using an offline 2FA app on a smartphone and a hardware key depends on your personal preference and risk tolerance. Both options provide an additional layer of security, but a hardware key is generally considered to be more secure.
For what 2FA app to use, I (and almost every privacy advocate IMO) don’t recommend using Google Authenticator/Closed-source authenticator apps. I recommend Aegis (Android) or Raivo (iOS). They are both very good apps.
Thanks for your reply! I’m still trying to wrap up my mind around the exact differences between the two options though.
Indeed, both Yubikey and the app would generate the unique codes which I would need apart from the password. My assumption here is that in both cases someone would need to get physical access to either Yubikey or the smartphone in order to access my account(s). In this case, what’s the difference between the two options? Or is my assumption wrong because it is possible to hack a phone even if it is not associated with any accounts and isn’t used for surfing etc?
At the end, I guess buying several Yubikeys for backups should be the most practical option, at this point I’m only curious why I have never heard about using a smartphone with an offline 2FA as a kind of “hardware 2FA”.
I have never used any hardware key so I recommend that you check out this article :
It’s because using a smartphone with an offline 2FA app as a form of “hardware 2FA” is not a common practice. This is because hardware 2FA devices like Yubikey are specifically designed for this purpose and are generally considered to be more secure.
The app on the phone means that only that phone can be used to access your sites. Loose the phone (Theft, fire, battery, …) and you no longer have access.
With a physical key, you are encouraged to use two keys so that you have a backup. This is something I’ve been told cannot happen with an offline app on a phone.
If I am wrong, please let me know.
In my case, I am currently using Bitwarden which has a 2fa app built in. That’s what I use on sites that don’t support the Yubikey key but allows app for access. And I use the Yubikey (or the backup) for access to Bitwarden. So, my primary access and choice is Yubikey and the Bitwarden app for sites requiring app only.