Against 2FA

hartator
HackerNoon.com
3 min readNov 27, 2016

--

I think the logic behind 2FA (Two-Factor Authentication) doesn’t make sense. It seems to serve the business interests of the companies pushing it more than the actual security of their customers. Let me explain.

Adding an extra step for authentication seems to provide additional security, but it’s in fact dubious:

  1. The main attack vector for any digital security asset is social engineering. 2FA does very little to mitigate that, and companies with good security policies would double check an account claim before giving access to someone pretending to be you anyway. You might automatically receive an email or a text stating that someone is trying to sign in if the attacker is making a mistake, but by the time you react to it will be probably too late. If you ever choose to react.
  2. Password leaks are the second attack vector. Even big companies are not immune to it. Remember the Tumblr, Dropbox and LinkedIn leaks. Passwords should be hashed and individually salted. It’s then not possible to get your password from a password leak. If these companies are not hashing and salting, there is no reason we should trust them with their implementation of 2FA. Indeed, if they are not capable of correctly implementing basic password security principles, 2FA implementation will be just as bad.
  3. If you have been physically coerced into giving away your password by attackers, they would probably force you to give away your email or your phone as well.

The added friction is in opposition real. For example, you have to wait to get a text or an email. You might also not receive it if the text gateway or the email gateway is currently down. You can even be completely locked out of your accounts if you are traveling abroad and can’t access your texts.

Finally, in certain cases of bad implementation, 2FA can create more attack vectors. If an attacker is able to reset your password via your phone or your email, he can gain access as easy as if 2FA weren’t there. 2FA is indeed in more case 1FA as you only need the second added factor to reset the actual password.

On the other hand, companies benefit more from 2FA than users. They have a constant flow to check if you are currently using the number you gave them or the email you gave them. In the case of advertising companies like Google or Facebook, the business benefit of added tracking is self-explanatory.

To conclude, I think we should be pushing the use of reasonably complex and unique passwords in order to improve security, and we should be against the push for 2FA adoption in the majority of cases.

P.S. I am aware of AWS Multi-Factor Authentication (MFA). They actually ship you a key fob device that generates keys used to sign in. It’s indeed a good implementation of 2FA, but its usage is very limited and most people don’t refer to this when they are talking about 2FA.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising &sponsorship opportunities.

To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.

If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!

--

--

hartator
HackerNoon.com

Passion for beautiful code, lunatic enterprises and ludicrous dreams