| U2F saves you, most of the other options potentially make it worse. If the bad guys are dumb and just were there to passively steal passwords then almost anything works. But if the bad guys are paying attention and stealing authentication secrets then it breaks down like this: Passwords: Stolen if used while bad guys could watch TOTP/MOTP/ similar software one time codes: Seed gets stolen by bad guys, they can generate the same codes as you now. SecurID/ similar key fob type one time codes: Seed gets stolen by bad guys, they can generate the same codes as you now. SMS: Now bad guys know your phone number. In a targeted attack they will "jack" the number and cause even more havoc, but you might be safe against script kiddies U2F (or WebAuthn): The server doesn't know any secrets. It knows a cookie (meaningless gibberish except to one FIDO device) and a public key (public). Stealing these is futile and cannot be used to impersonate the user. TOTP and SecurID surprise people because they forget that although the credential transmitted is just a one-time code, the _server_ (which bad guys broke into here) needs to know the same seed as the user does to get the same codes. |