Archives for July 2019

Why are we bashing 2FA?

I’m a huge proponent of Two-Factor Authentication (2FA). Is it a perfect system? Absolutely not, but what system is? There are more secure second-factors and less secure second-factor methods; every method has its own pro’s and its own con’s, as well as the issue of many legacy login systems not being compatible with 2FA to begin with. But do you know one thing that 2FA is not? It is not less secure than not having it at all.

Passwords were never going to be the ‘forever solution’ to security; they’re too vulnerable in too many ways. In fact, 2FA is almost certainly not going to be a forever solution either – it still leaves too much room for fraud or human error in the authentication process. But the fact of the matter is that layering on the second factor extends the useful life of password protection in today’s digital age, mitigating (in many cases) the risk of using weak passwords; not to mention the problems caused by the constant breaches of systems around the world leading to the leaking and compromising of millions of passwords at a time.

That’s why I continue to be appalled at how many people seem to criticize 2FA as a methodology. It’s almost like they see one flaw in the system and then bam! The whole system is worthless. Last month I read an article from The Register which seemed to take that exact stance.

I understand that security is a trade-off between user convenience and information protection. It’s no different than physical security – you think anyone enjoys dealing with TSA on their way to catch a flight? But there does need to be an understanding amongst us. An understanding that security is there for a reason; an understanding that cyber criminals will steal peoples’ credentials for no reason and with no bias. This is why security is important and why it will, by definition, cause inconvenience. You could say then that the security itself is not to blame for the inconvenience, but rather the douche bags that cause the need for the security in the first place. If we compare this to airport security, the attempted shoe bomber is the reason that we have to take our shoes off now… thanks a lot Richard Reid. Ok, rant over, let’s get back to 2FA.

In the article from The Register, author Alistair Dabbs makes an interesting – maybe he thinks it is profound – point that his cat does not need 2FA to access the cat door: “the only reason it works brilliantly for my cat is that the other cats in my neighbourhood don’t have any programming skills” (para. 14). Ok, well there is that, but there’s also the fact that cats are (arguably) not malicious by nature. They *usually* don’t break into your house to steal the sticky note with your bank account login written on it. They *usually* don’t ransack your place looking for your social security number. I mean maybe it happens. Maybe?

Humor aside, cats don’t need 2FA because cats don’t exhibit the malicious behaviors that humans do. Cats don’t phish each others’ email boxes trying to steal login credentials. Humans on the other hand do have to live in this type of world, where there are seemingly more people than not who will try to screw you out of your Facebook login or the digits on your credit card just so that they can make a quick buck. Take a quick glance at some of the breaches listed in HIBP and the magnitude of this is astounding… and these are just known breaches. Even worse, the people that do this are frighteningly good at this trade. Phishing techniques are getting increasingly more believable and it seems impossible to have 100% of your user base adequately trained on these types of threats. This is why we need 2FA. Is it inconvenient? Absolutely. Is it necessary? Absolutely.

One struggle today is that we’re accessing many platforms that provide no 2FA support at all; or, commonly, those that provide 2FA capabilities but only through either inconvenient or insecure means (such as TOTP via app or via SMS, respectively). The lack of broad acceptance or mass implementation of 2FA creates problems because simple usernames and passwords are clearly a broken form of authentication. My hope is that we’ll continue to make strides towards a password-less future, but that time is a long ways off. Until then we need to implore developers to add some form of multifactor auth to their applications.

Like I said earlier, 2FA is not going to be a ‘forever solution’ to security. I don’t know if there will ever be one as criminals will always work to break the system. But 2FA is, if nothing else, an improvement to passwords by themselves – we should appreciate it for that while also being mindful of its limits as we strive towards a forever solution.