How to use two-factor authentication without a phone
Two-factor authentication is a powerful security feature that improves the security of online accounts significantly when set up. It will be replaced with passkeys eventually, but this is not going to happen overnight.
Two-factor authentication adds a second security layer to the sign-in process. Users receive or generate a code, which they enter on the site or in the app.
Several of the most popular two-factor authentication methods require a mobile device. There is the option to receive text messages with the code or authenticator apps, which users need to install and set up on their mobile devices.
While most Internet users do have access to a smartphone for that, there are situations where using a phone may not be an option.
- The smartphone is not available, e.g., it has been misplaced or was stolen.
- Regulations may require "more secure" methods.
Using 2FA without a mobile device
There are two main options when it comes to using two-factor authentication without mobile devices. Assuming that a computer is used, as two-factor authentication without a mobile device and computer would make little sense, the following two options are available:
- Installing an authenticator app directly on the desktop computer or notebook.
- Using a security key.
The selection of authenticator apps for desktop operating systems is limited when compared to the abundance of authenticator apps for mobile devices. Still, there are some that users may install.
There is a selection of Authenticator apps available on the Microsoft Store, and several password managers, like Bitwarden, include authenticator support, which may be used as well.
Most solutions target businesses and not individual users, though.
The second option that is available is provided via security keys. These are physical devices that are either connected to the device directly, e.g., via USB, or via methods such as NFC or Bluetooth.
Yubico's Yubikey 5 series alone comes in several different flavors, from basic options that are connected to a device using USB to devices that support multiple connection options and work on desktop and mobile devices alike. The company has a short quiz on its website that suggests a product based on a few answers.
Yubico is not the only manufacturer of security key solutions. Google has its Titan Security Keys, which also come in different flavors, and Thetis maintains a range of security key solutions as well.
Security keys for individuals come at a cost, while authenticator apps are free to use. Most security keys offer more options than authenticator apps, as they may support more services and protocols besides creating one-time passwords for services.
Closing Words
Whether a desktop authenticator app or a security key is the right choice depends on individual requirements. It depends on the operating system, the number of devices, and several other factors.
If just a desktop or notebook is used, authenticator apps may be fully sufficient when it comes to two-factor authentication. Security keys are the sophisticated solution, they may be carried around, and support additional protocols and options, including the ability to use them with smartphones.
Now You: authenticator apps or security keys, which do you use and why?
There is a simple method. Just proceed as if you are using the google authenticator app, but when you have the QR code you can burn the seed details from the QR code onto a programmable totp token (e.g. Deepnet’s SafeID/Diamond). Using this approach you bypass any need for a P1/P2 from Microsoft, the internal clock is correctable (but lasts years), and as this type of token is fully self-contained you won’t need to access a mobile phone when logging in.
Bitwarden does not support TOTP on the free tier (for third party websites) but you can authenticate to bitwarden itself with 2FA on the free tier.
Authy sign up requires a phone number – this is problematic for someone without a phone.
Yubico has their own authenticator app. I have two keys on order. 5cNFC primary and spare for the safe. Linux, Mac, Windows, Android, IOS etc.
The TOTP code is stored on the key. Currently I use the freebie Google Authenticator. Stolen phone, that goes with it. I’m locking down with keys, to the degree possible.
Two factors on one device? Totally dumb idea. Just like fixing circuit breaker with wire.
The EU requires 2FA by law.
As a user I want to have 2FA as simple as possible. What do I experience? The 6 or so organizations, which require 2FA all use a different method. For most (often elderly) people a disaster.
The easiest method for the user (not mentioned here) is browser recognition (used by one of my banks) and PC profiling (used by a well-known internet shop).
Easy dont use it all.
There are thousands of articles on the net on how easy it is to compromise and bypass. How to get peoples personal details, but I won’t link to them here as that would probably violate the terms.
Suffice it to say, 2FA is all hype. It has been compromised many times recently and is NOT secure and never will be because big tech wants it that way. It’s not about security. It’s about collecting more personal information.
@Martin … you read my mind from a few weeks back. Thanks for having this article.
Some issues that I can see with hardware passkey keys is the lack of ability to update the firmware (this is similar to TPM if they decided to upgrade that and the system/module is End Of Life’d)… have to love that planned obsolescence before it’s slapped on a lunch box.
Additionally some sites, like GitHub, require you to have an “idiot phone” THEN you can add a hardware key. This is really inept IMHO… but then they are now owned by Microsoft. ;) Enabling “Big Brother” with your cell metadata.
The main problem is that all cryptography can be broken in some form given enough time. The planned obsolescence is ripe for this “work-around” technology being ready for the general public even before it’s generally “accepted”.
Keepass is good for 2FA. But, some years before, I got messed with a online games hosting service and lost my unique passwords, that I got, and after all I dont use it anymore. I prefer Google password manager, keepass database, and my memory at least.
Are you sure Microsoft Authenticator is available on the Microsoft Store? I’m not seeing it on Windows 10.
You are right. I changed the info, thank you!
I do use Authy both on my phone, on desktop and on notebook. the advantage is that this one app, works on all 3 of my device types. Google, I don’t trust so there auth. app is out, MS well do I have to say something more ?
Must investigate KeepassXC, (see it above) that I do use, for the 2FA though
Some password managers like KeePassXC offer 2FA support as well.
On Windows 10+, 2fast (Store app) is a pretty good alternative to Microsoft Authenticator.
On GNU/Linux desktops, you can make your own 2FA authenticator into the terminal emulator (command line), using the “pass” password manager program. Just search on the Odysee video website for ‘luke smith pass two factor’ and you’ll find a video with clear instructions.
Thanks @Andy Prough.
I’ll have to give that a try. Hope it works better than LUKS with storage media.
And an update. pass works very well all the times I’ve tried it. Thank you again! At least I didn’t have to use a burner phone.
As far as the security keys go… most of them are WAY overpriced. I’m still very concerned with an attack vector that may break a certain keys firmware revision and make current in use one obsolete and force everyone to buy new ones _(think TPM 1.2)_.
The ones that I did investigate don’t actually advertise what the current version is on their web sites that I could find… that’s not good business even if one can’t easily update it _(they have to write them before packaging so it is possible given the right additional hokey pokey dance)_
@Martin. is Yubico a sponsor or pay cash for comment?
Neither.