There has to be a better way to implement 2FA, here’s why.
Prologue
I recently read an article on Ars Technica which originally appeared here, on Medium written by Kapil Haresh. It systematically exposed the limitations of Apple’s two-factor authentication (2FA) scheme.
TL;DR? Here’s a brief summary of his well-written article (which you probably should read!)
Even if you have enabled 2FA on your Apple ID, Apple allows you to log-on to the Find My iPhone, Apple Pay and Apple Watch settings on iCloud without requiring the second factor (most typically an iPhone) to authenticate the login. There are obvious reasons for this setup — namely, you cannot sign into an account that utilizes 2FA (with your phone as the second factor) when you don’t have access to your phone either because it was stolen, misplaced or the battery just ran out.
Seemingly, Apple hasn’t devised an alternate 2FA layer when the default of authentication via text message or notification on your iPhone is unavailable.
This opens up a lot of avenues for malicious hackers to take advantage of.
Google and 2FA
After reading his article, I was finally convinced of the need to enable 2FA on my Google account. Even though 2FA is rather cumbersome — that one extra step in protecting the single most important account, crucial to my entire internet presence — is well worth the hassle [most of the time].
Yet, when I looked into Google’s own 2FA setup, I found a few caveats — though they were far less glaring than Apple’s.
Here’s a brief overview of how it works.
The first factor is your username and password which you use to login (1).
Your credentials are then verified by Google (2), and you are prompted to authenticate via the second factor (3).
As the second factor (3), I’ve allowed the prompt notification on my phone, installed the Google Authenticator app as well as the text-message option. Alternatively, Google let’s me save and print a set of 8 single-use codes in case my phone is unavailable. [Obviously, it would be foolish to save these codes on your computer in case it were to be compromised — thus it is always advisable to print them and store them in a secure location.]
After the second factor is authenticated, you are logged in successfully (4).
Onto the Fine Print
All seems hunky-dory right now. Your account is as secure as it will ever be — especially if you have a 20 digit alphanumeric password with special characters and your second factor, your phone, is secured with a 10 digit alphanumeric unlock code. [Overkill?]
Jokes aside, let’s see what happens when your phone is lost/stolen.
When I’m on a new device [or an incognito window] and try to use the Find Your Phone feature from Google, it asks me to sign in with my Google account password. All is well.
Then, I’m asked to authenticate via the second factor — almost all of which are only present on my phone! Somewhat of a caveat, don’t you think?
Luckily, I’ve also printed the 8 single-use codes provided and meticulously stored them somewhere safe.
Wait. What? 8 single-use codes, you say? Uhhm..
What do you do, now? Google says to “wait three to five days” until they can verify you are the true owner of the account [even if you’ve set up an alternate email ID/security questions many years ago — which you may not even remember].
So now we see the actual inconvenience of enabling 2FA.
Conclusion
No system is perfect, far from it. Perhaps Google can come up with a few more inventive methods to expand their 2FA suite — such as utilizing a hidden layer that involves keystroke dynamics or something similar.
Sure, you could set multiple alternate phone numbers to receive a text message or devices to receive a prompt, but this isn’t exactly ideal in a worst-case scenario.
These are minor quibbles in a system that is otherwise pretty darn hard to fault, and the chances of something like this happening to you, dear reader, is statistically insignificant.
But in this day and age where people have no less than a dozen online accounts with a the same number of accompanying — hopefully unique — passwords, there is a clear and urgent need for a better, more transparent security solution and password management utility. These two things are different, you say? Nay, they are closely intertwined.
Until that day arrives, we are all at the mercy of ruthless internet hackers, the strength of our passwords [or our password managers] and our ability to remember all of our innumerable account credentials.
Let me know in the comments what you think we can do about improving the UX of a 2FA system!
Feel free to contact me on LinkedIn.
