Multi-Factor Authentication

MFA is necessary but not sufficient as an OpSec strategy. If you have not yet implemented MFA, we suggest making it your first priority as soon as you finish reading this page.

Not all MFAs are created equally. A few recommendations:

1. Stay away from text and email as MFA methods. There are innumerable reasons why neither of these methods is a good idea. Suffice it to say, best practices have long since outlawed these MFA methods.

2. TOTP (e.g., Google Authenticator) is good but not great. Why? It is easy enough to trick users into entering TOTP codes into a phishing site. The methods cited below are more difficult to exploit. Also, any manual typing is susceptible to keyloggers.

3. Push-based MFA is better. Why? Because initiating a push notification on iOS/Android requires that the device itself be enrolled with the identity provider. Phishing sites cannot initiate a push notification to the Gmail app, for example, without a major compromise of Google's infrastructure.

4. Passkeys are the best. Biometrics are hard to fake, and in a world where attackers are looking for low hanging fruit, passkeys protected by biometric factors are typically too hard for them to reach. However, passkey storage is critical to ensuring that this choice is secure - please read the note below.

5. Key admins (e.g., your G Suite admin) should be using Yubikeys. They are inexpensive and easy. There is no excuse here for not protecting the keys to the castle with the industry gold standard for MFA.

Once you have MFA in place, you are ready to move on to the next step in your Opsec framework. However, before you declare your MFA journey a success, make sure you haven't forgotten any of your communication tools along the way. In this industry, we often use a combination of X, Signal, and Telegram, and each of them can and should be protected with an additional authentication factor. Also, note that the more you allow one-off sign-ins for each tool you use, the more you have to be concerned about the MFA features of each tool. Implementing single sign-on wherever possible is the best way to enforce MFA across all the tools you use.

Take into consideration that, while using passkeys seems the most appropriate course of action, using them irresponsibly could lower your security posture. Passkeys only improve security when they remain tied to a strong device and recovery model; used carelessly, they can weaken it by shifting trust from a hard-to-phish login flow to softer cloud sync and account recovery paths. A common failure case is storing high-value passkeys in consumer sync ecosystems protected by weak recovery, reused credentials, SMS reset, or unmanaged devices, so an attacker who compromises the sync account can restore those passkeys on their own device and log in cleanly with what appears to be strong authentication. In that setup, the passkey itself is not broken, but the overall security posture is worse because the real attack surface becomes account recovery, device enrollment, and endpoint compromise rather than direct credential theft. A typical mistake would be to store a passkey in the Google password manager for your personal Google account, which may not be adequately protected with a strong password, MFA, and a secure account recovery method.

To address the passkey storage issue, this section should be read in conjunction with the section (coming soon) about password handling and password management. Passkeys are the strongest form of MFA when stored in a secure password manager with biometric authentication (e.g., Bitwarden, 1Password). Passkeys stored in a personal account that uses phone or SMS as a recovery mechanism make overall security worse, not better. Before finalizing any decision to migrate to passkeys, please read the password management section and ensure that you are ready to store your passkeys securely.