When using a computer and/or phone, there are many different ways to log in to both it and other services, as of 2023; and multiple methods can go together to improve one's security. Much of it is contextual: are you using a website that shares data & services with another one you use? Are you using your fingers and eyes to log in if you're on your phone? Does the website you use suggest a particular app or 6-digit code to log in? Do you get prompted to log in by email? And how are your passwords doing these days?
- Passwords can be forced to conform to a somewhat contorted set of rules to reduce brute-force cracking attempts by demanding more extended calculations and more guesses from the said adversary. It does have one weakness: the sticky note or text file with it written down, especially if it's changed every 30-90 days.
- Combining memorable passwords with 2FA/MFA can reduce the chances of being “hacked”.
- Password apps like Bitwarden, 1Password, and KeePass; can be used to maintain more complicated passwords without sticky notes. You can even try using a memorable password phrase as your master password, but use a longer phrase (even sentences work).
- Some systems offer use of a PIN: this is the standard for debit cards; and phones + Windows OS make use of this, usually in tandem with a Google/Apple/Microsoft account.
- Chip & RFID: newer debit and credit cards and various security cards use chips and/or RFID to authenticate against devices to permit transactions and physical access. Depending on the application, this is usually combined with a PIN or keycode number.
- Email: you might get a one-time email link to log into a website or service. Discord, Slack, and other websites use this to streamline login attempts. This can be done in tandem with having an actual username/password on the account as a form of MFA.
- OTP app: Google Authenticator, Authy, FreeOTP, and other apps; use QR codes to sync with websites to use a 6-digit “one-time password” whenever you log in to sites. There are usually a set of “backup codes” you can generate for when your app is unavailable. This is probably the most common form of MFA right now, used in-tandem with regular username/password logins.
- SMS text message: Facebook and others may send you an OTP code via text message. This is used to authenticate when you're already logging into a website and not using an OTP app.
- Device / dedicated app authentication: Steam and Blizzard use dedicated apps to protect gamers from account hacking and unwanted online store access. You may also have access to FIDO/FIDO2 security tokens that use a finger/thumb press or their presence to indicate you are at a workstation. And Android phones can authenticate Google services via a prompt on your phone. These actions are usually used to ensure you're accessing an account while at the computer/phone trying to access said service and/or to second-guess a critical action.
- Biometric: your phone or computer may offer fingerprint or face detection as a form of login. This may be used in tandem with any other login methods (like face + PIN on Windows or phone).
- Security certificate: your IT administrator may use digital certificates with your computer/laptop, VPN access, and WiFi access; to provide a second layer of authentication (and/or encryption) for internal network access.
OAuth2 blends the other groups into a streamlined login for various websites. Companies can tie into Google or Microsoft logins to access their websites via a shared account that's secured on its own (and usually charge admins for that privilege). LinkedIn can use this to authenticate for pushing resume data from its APIs. And GitHub uses this to sign developers into partner apps.
Edit note: advice from a Reddit review + friends was incorporated into this, as needed.