Using SMS as a two-factor authentication method is quite a [bad idea](https://philipp-markert.com/assets/papers/way19-5-view-the-email.pdf). Bruce Schneier [agrees](https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html) with [NIST](https://pages.nist.gov/800-63-3/sp800-63b.html), saying that it should no longer have any place in a 2FA environment. The UK's National Cyber Security Centre [NCSC](https://www.ncsc.gov.uk/guidance/setting-2-step-verification-2sv) also does not recommend this. MFA USB Token While this was initially a novelty, it has lately started to grate on me that each application and service has their own secure key and authentication method. They each have their own physical 2FA keys. Once a user has to carry around multiple 2FA tokens around, weariness will settle in and they will compromise on security. To prevent this, many 2FA implementations have tried to do away with multiple 2FA devices. Most of them (for purposes other than security) have settled on the *least-common-denominator* 2FA method - insecure SMS. Forgetting about the security aspects (very well covered [elsewhere](https://www.schneier.com/blog/archives/2017/05/criminals_are_n.html)), I am also at the mercy of being in a network coverage area. This might not be the case when travelling to a location where your network provider does not have any roaming options. Linux's `oathtool` is a nifty command line tool for websites that use standard HOTP/TOTP based 2FA ([RFC6238](https://datatracker.ietf.org/doc/html/rfc6238)). When enabling 2FA from the "*Security Options*", choose to authenticate using an "*authenticator application*". This should pop up with a QR code or it might offer you the option of copying the private key (`pKey`). Most of the time the `pKey` is encoded using [*base32*](https://en.wikipedia.org/wiki/Base32). The tool uses *SHA-1* by default, but this can be changed using the `--totp=hash-algorithm` option. However, you are at the mercy of the 2FA provider. Every time you need an OTP: ``` $ oathtool -b --totp "My Secret Key from some service provider" 191049 ``` Suffice it to say, please keep the `pKey` private and encrypted using `openssl` or `gpg`. As it can be executed on any Linux device, this does not have to be your phone (which I keep losing or damaging). TOTP is especially cool for people who travel to different time zones as the OTP is derived based on Unix Time.