The Perils of 2FA

Yesterday I was sitting at a cafe near my house with my daughter, I had just finished a video call with my boss —a weekly touchpoint since my boss sits in Amsterdam and I sit in Singapore— when a guy approached me and asked if he could use my iPad.

It took a minute to understand what he wanted and why. It seems that his phone screen had died, he could receive a call, using his headset to answer it, but he could to make a call or browse his phone in any way. He wanted to log into gmail to get a contact number and use my phone to call them.

Ok, no problem I’m happy to help a guy out. So I opened up Firefox in incognito mode and loaded gmail. After the username and password were entered a two factor authentication (2FA) page opened. Google wanted the guy to enter a code that could be found on a device already logged in… that would be his phone, the one he could not access.

Google gives options to allow you to try others ways of verifying yourself; receive an code by email (not helpful if you are trying to login to that email), receive a code by text (since his phone screen didn’t work he would not be able to see the code), and others. The only one that was an option for this guys was to receive a code by voice call. Luckily he could still receive as call and pick it up using his headset.

So after a couple of minutes he was able to login and get his friends contact. I let him use my phone to call and his friend called him back so they could coordinate whatever they needed.

Glad to help a person out. But the real story here, for me, is the perils of 2FA. All the security experts out there will tell you to enable 2FA for all your logins, all the major services on the internet offer 2FA: Google, Facebook, Apple, Microsoft, Adobe, blah, blah, blah.

I’ve been using 2FA for about two decades, I believe I was issued my first physical RSA token back in 2003. Now days I have multiple software tokens on my phone – Microsoft Authenticator (for work), Adobe Access —just for creative cloud, damn you Adobe—, Authy. Google has an Authenticator, which I don’t use for anything anymore, I should delete it and most importantly 1Password for as many services as I can use it’s built in code generator.

Google and Adobe, and, to a lesser extent, Apple piss my off with their 2FA. Google and Adobe use proprietary software, I can’t add them to my 1Password for the code generation. I have to use Gmail and Adobe Account Access respectively. Gmail is the worst, I don’t use Gmail’s app for anything else, I use the built in mail app on my phone, but I have to keep Gmail on my phone just to login to Google. Adobe is nearly as bad, they have a dedicated app, it’s not even in the existing Lightroom or Creative Cloud or other Adobe apps I already have. Apple uses a push to logged in Apple devices and since I’m helplessly mired in the Apple ecosystem that’s not really a problem but how do people with only one Apple device do it?

I think 2FA is important, we hear daily about new hacks. I have been on the internet for three decades and using the same email address for almost that whole time. I was foolish, like most people, and used the same password for everything for years. That email address has appeared in many leaks, accordng to haveibeenpwned [] I have, in fact, been pwned 26 times. And that’s only known pwnings. My old go to password has appeared 4 times, meaning the plain text password with the hashed string is there, so if that hash shows up in another breach the hacker does not even need to break the encryption, they already know the password.

So, these days I use a password manager. I use 1Password. And while there is always a chance that they get hacked an my data get leaked I think the benefits out way the risks. I am able to set a different password for everything and I don’t have to remember them, I only have to remember one master password, I can make that as complex as I want to make it harder to crack, not worth the time of a hacker (If you want to understand how easy it is to crack passwords watch this Computerphile video [].

1Password allows me to set 1Password as my 2FA code generator [] for sites or apps that follow the standard. You can see which sites support it here [] and which use proprietary solutions.

But, for all the extra security 2FA provides you have to be prepared. To make sure you have access to the code generator. If you loose your phone you still need to be able to get a code to login… I can login to 1Password on my computer but what if someone does not have a computer, only their phone? What if I’m overseas without access to my computer? What if you loose your phone so you go to use someone else’s computer to login somewhere and to get the code you need your phone? Sure, they offer other methods to verify, so you select receive code by email, but then you need a 2FA code to login to your email, but you’ve lost your phone… How deep does this rabbit hole go? When it works it’s great but I can see how this whole thing is to complicated for many people.of

This rant isn’t goin anywhere so let me explain, no, there is too much, let me sum up: Passwords suck, but we don’t have anything better yet (people are working: Alternatives to passwords []), 2FA is better, but there are some issues. All of this security is to complicated for most people.