Skip to main content

Why Two Factor Authentication Isn't Great

 Two Factor Authentication (2FA), also known as Multi Factor Authentication (MFA) is a form of authentication that has more than one secret - each secret independent of the others - in the process of authentication.

I’m writing this to collect and organize my thoughts on this, as well as the thoughts others have had on the subject. It seems like every time security is discussed regarding an account, Two Factor Authentication (2FA) is always brought up. Even in the cases where it absolutely will provide no help whatsoever. I'll state now that this is a rough draft and more me dumping my thoughts down into words.

Feel-Goodery is on the rise

I’m starting with this as this seems to be an emotionally driven discussion with people. Those presenting counter arguments are often down voted and ridiculed - not ridiculed with sound argument, but with this desire for feel-goodery - as if someone is insulted to be told things.

I actually use 2FA on a lot of accounts. I just think it’s an extra little piece of security that works well in only limited circumstances, but I make no illusions about how it can be subverted.

Defining 2FA

The hardest part about having this discussion is properly defining 2FA. There are literally hundreds of ways of doing it and each with their own positive/negative attributes. When people throw out the term 2FA, we can’t tell what they’re talking about.

I found the easiest way to understand this is to understand the process of authentication. Authentication is the means of a server determining that YOU are the person that should have access to whatever. Traditionally this is done with a username (the account being accessed) and a password (the secret that you and the server both know - proving it is you).

2FA is the means of adding in an additional factor, or best looked at, an additional secret - independent of this current verification. There are hundreds of methods for this, but the popular ones seem to be:

  • SMS Text Message with a secret code that you must present to authenticate
  • OTP (One Time Password) which is done with a token that gives you a number that changes every 30 seconds
  • Hardware Key which requires you to physically have an object to authenticate
  • App Approval which is just getting a notification on your phone and approving/rejecting

2FA is NOT a second password or something like that. The idea is that each factor is independent of the next.

Discussion

On the surface 2FA sounds like a really good idea. If someone where to get your login/password, well they can’t get into your account unless they have the second factor (which you control). It is very convincing, but it’s also a poor way of looking at things. Banks and big business look at security from the perspective of threat models.

You can’t just think of it as a good idea just because it sounds like it. You need to think about how one breaches an account. It’s not like poof someone has your login and password, even though it may feel like that as an end user. They were able to obtain your login and password by some means and that’s important.

It is looking at reality and figuring out how best to work with it, rather than taking some abstract idea that sounds good. You’re trying to determine the means of attack. Whereas 2FA seems to be the universal reaction advise to poof someone has your password.

When you start to have discussions about 2FA and ask what attack are we trying to prevent, you can finally start to get somewhere in understanding how things may work well and may not work at all.

A very common attack people bring up is the notion of a key logger. This could be done by malicious software (malware) or it could be done by someone who has access to your computer. The point is that your key strokes are being recorded and someone gets to see them - exposing your password (secret). With 2FA they still can’t get in.

The reality of this scenario is that your computer is compromised. Someone can pretty much do what they want with the constraints of the software. A key logger is really a very benign piece of software when you consider how far they can take it and the variety of most advanced software out there. They could just take over your session - while you’re logged in. They could compile detailed information about you, which may be enough to reset an account (resetting an account also resets your 2FA).

Another scenario that people use is the reality of a website getting hacked - and data being breached like passwords. If the hackers try to login to your account, they’ll be unable to.

This is an interesting scenario for a variety of reasons. Any website worth anything will store your password is a salted hash. The idea that the passwords are stored in plain text or that a hacker would be able to have near immediate access is highly unlikely. It should take thousands of years to crack, at a minimum. All your important websites (banking) should fall into this category.

If we were to assume the scenario that passwords were easily compromised, 2FA could protect you if you ignore the fact that the system itself is compromised. A hacker could have altered the system, reset details of accounts, or whatever (who knows). The idea that a compromised system is capable of keeping your data secured and at the same time compromised is silly.

This ignores the notion that passwords should not be so easily compromised. If passwords are stored as just hashes and vulnerable to a rainbow attack or salted hashes are compromised quickly - the security of the server is garbage and it won’t matter if you have 2FA or not.

I could go on with examples, but inevitably you’re going to find the same sort of situation arising. There’s always something compromised that provides vulnerability, which leads to vulnerability of the second factor itself. When a password is poof found, 2FA makes a lot of sense, but not when you get into the nitty gritty of how passwords were acquired you realize the weakness elsewhere. I suppose 2FA works well for someone guessing your password, but statistically I’d be more concerned with my laptop catching fire and burning me to death. Also if you use the same password at each site and one is compromised, but you don’t need 2FA to fix that problem.

Lastly, you may not have heard of 2FA accounts being breached. Really, how often do we hear about it period? The truth is that many hacks are hacks of opportunity. All that means is that there was an open door and someone took it. Focused attacks are really uncommon.

The idea of someone hacking your online bank account is sort of funny. It’s not like your account has a button on it to empty account and go directly to hacker. Mine, they can pay bills to reputable businesses. They can email money transfer money, which requires a legit bank on the other end. They can transfer money between linked banks (which are mine - takes business days and a legit bank account to add others). Honestly, there isn’t a lot to gain.

What are some things where a hacker could safely and anonymously profit? Bitcoin. I recommend checking out Bitcoin on reddit and various forums. You can hear all the stories of people who had all their money stolen from 2FA accounts. It’ll blow your mind.

The Long-term issue with 2FA

It seems like many people live in a myopic bubble when it comes to the way they look at things. Me me me. When a bank is looking at security, they’re thinking about it for the masses. 2FA might sound like the greatest thing ever to you. You may know how to use it properly and have very measured expectations of it. The reality to a bank is how many people are going to use it? How many people are going to like it? How many people are going to get pissed off? And how many people are going to be locked out?

You’re probably thinking, so what? A little annoyance and a lock out still results in secure accounts. Very true, but this is a big picture item. Users that HATE a system or inconveniences them inevitably become softened in someway.

The one big softening I see, if 2FA becomes mandatory at a bank, is that resetting an account (which resets 2FA) will becomes very easy. You can’t just think of you. I think of my mom. I think about how when she struggles with this that she’ll be forced to call up, reset and poof - an open account.

If she can call up and easily reset her account (just like every basic user should be able to do), than what is stopping a would be hacker from calling up. I think today of how little information I need to present to get my account reset. Some places all I need is my name, address and date of birth. Others might ask me for a few transactions. Imagine that, except more convenient.

The Reality of Security

It needs to be understood the challenges that exist with security. All the various forms of security have pros and cons. 2FA has pros and cons. The variety of types of 2FA have pros and cons. All these pros and cons need to be weighted against the reality of a user base and how much they’re willing to deal with it.

In Canada, people really hate on the banks. Constantly about how they don’t have 2FA. I’ve pointed out many times that I could give people my username and password to all my banks & credit cards and they wouldn’t get into any of them. The main reason is security questions. Again, pros and cons. Types of questions have pros and cons. I don’t really see the need to devise a brand new system when the current one works, 100% in play and most people are used to.

Did you know that, today, we have the capabilities of authenticating with a server without ever sending a password and without the server ever storing information about your password? Wild right. Even if the server was breached, a hacker would be no closer to gaining your password. It’s known as asymmetrical cryptography. Why don’t we use that? Well, pros and cons. In fact, when you look at the mass of users, the cons are huge.

This is the real context of security. It’s the mass adoption of it all.

Conclusion

The whole point of writing this was to collect my thoughts on the subject. My intent isn’t to dissuade someone from using 2FA. Like I stated earlier, I use it. The intent was to show that 2FA isn’t an amazing thing that is the great equalizer against the hackers of the world. It’s value is very limited in what it can do and in many cases will not save you.

I personally think that focus should be on REAL security. Just real deep down honest and proven security.

  • Good unique passwords for each website - Changing your passwords on a regular basis (90 days?) - Stay away from bad sites and keep your devices clean

I strongly encourage you to read 1Password’s discussion on Two factor or not Two Factor - why they haven’t implemented 2FA. 1Password falls into a slightly different category of authentication as it is encrypting data, but it makes good points. Their essential point is that they don’t want to sell their clients feel goodery. Bravo.

UPDATE: 1Password has added in 2FA and caved to the feel goodery mob.

Comments

Popular posts from this blog

The Energy Market with Unreliables

 The energy market is going to be something that will be on people's minds for a long time because right now there is very poor policy and ideological views driving us to a crisis. There has been a nice little bull run going on over the last few months, and this may not be the crisis. It's something that may immerge here, but it might be 5-10 years from now. For the longest time I've been a passive index investor , and I still am for a nice chunk of my portfolio, but over the last 18 months I've decided that I'm going to apply my own judgment to the market place and invest accordingly. Over this time I've accumulated a pretty sizeable portfolio of LNG (Liquified Natural Gas) companies, in particular upstream and midstream companies. Renewable Energy or Green Energy are Unreliables There is a political push for green energy. It's driven by the moral ideas that green energy is this universally good  energy and all the other reliable energies we use like fossil

Answering COVID19 Conspiratards

  There's a lot to unpack here. "My doctor... vaccinated creates more ammo for the virus to grow stronger and more resistant..." I do admire that his doctor sounds a lot like the anti-vaxx doctors on the internet, but there is much to unpack. Sometimes I don't grasp the past that well, but I'm pretty sure before COVID19 we had vaccines. I think we had a lot of them. Small pox, measles, yearly influenza, etc. The data shows that we aren't being overwhelmed with super measles or seasonal super influenza that is worse and worse each year. It's not to say that it couldn't happen, but with the data we currently possess on vaccines - it isn't happening. Plus, if this were a problem - it isn't a vaccine problem. It would be an immunity problem. Let's just assume we went "all natural" and much of the world was infected with COVID19. Well, most of the world would gain the immune response t-cells and antibodies to fight future infections. A

Efficient Market Hypothesis and Passive Investing

 When it comes to investing in the market, there is a lot of contentious debate about what is best. I have found that people get so wrapped up in defending their strategy that they either overplay the ideas behind the strategy or just outright misrepresent them. I understand wanting one's investment strategy to work best but let us not delude ourselves. "Best" is not something that is easy qualitatively to measure when various investors have different risk tolerances, timelines and goals. The above is no less true when it comes to the Efficient Market Hypothesis (from now on as EMH); both from those for and against the idea of it. I think both (for and against) conceptualize EMH improperly and it takes away from the value it has as an investing strategy. I will add that I have 90% of my investment portfolio invested in passive index funds, which are the products utilized by those that follow EMH and the studies following from it. That's not to say I'm biased towar