The Abject Stupidity of Two-Factor Authentication
On group think and the refusal to think things through
Thinking is good. If you think well, then you can solve problems. If you don’t think, then you cause problems. The worst problems are the result of people believing they are thinking well when, in fact, they are not.
On group think and the refusal to think things through
Then there’s two-factor authentication or 2FA. Some people believe it’s a clever invention. They believe they were thinking well. They weren’t.
To illustrate, I will paraphrase two real e-mail exchanges that I had with “customer support” of various organizations. These are word-for-word the conversations with human tech support. I did not correct their grammatical errors. These two examples illustrate the abject stupidity of two-factor authentication and those who unthinkingly force it on us.
Conversation 1— replacing password with 2FA to access an app
IT: This e-mail is to inform you that we now require two-factor authentication to sign in to your account. As a security method, you will no longer need to enter your password. When you enter your username, we will send a verification code to your device. You will need to receive and enter that verification code each time you sign in. Let us know if you have any questions.
Me: I have a question. Why are you requiring me now to receive a verification code instead of a password?
IT: As a security method, we’ve installed two-factor authentification to protect your account if someone steals your device. Let us know if you have any questions.
Me: What happens if someone steals my device and tries to sign into my account?
IT: As a security method, the server sends an authentication code to your device. Let us know if you have any questions.
Me: But if someone steals my device, you are sending your authentication code to the person who stole my device. Aren’t you giving them access to my account?
IT: As a security method, one can only access your account by entering the authentication code sent to your device. Let us know if you have any questions.
Me: Okay, think this through. If someone steals my device, they have possession of my device. If you send the means to sign in to my account to the device, you are allowing the thief to access my account. You have made my account less secure by replacing password authentication with 2FA.
IT: I understand your concern. I am happy to inform you that we now require two-factor authentication to sign in to your account. As a security method, you will no longer enter your password. When you enter your username, we will send a verification code to your device. You will need to receive and enter that verification code each time you sign in. Let us know if you have any questions.
Conversation 2— adding 2FA to password to access a Web site
Me: Why are you forcing me to receive a verification code on my phone to sign in to my account?
IT: We understand that it’s an extra step, but we always make sure your account is protected, so this is a necessary step in your security. You can choose how to receive your verification: receive a code by text message or phone call.
Me: It’s not a necessary step, and it doesn’t make my account more secure. I sign in only on my home desktop computer, using my dedicated private IP address through secure VPN. I am being forced to solve THREE captchas AND receive a phone call every time I sign in. This despite the fact that I always sign in with the SAME device from the SAME IP address.
IT: Thank you for getting in touch and sorry to hear about it. 2-step login is a way to make your account more secure. We understand your e-mail and the fact that it can be annoying doing the same security step every time. We recommended to your access through our App, then you just need to log in with 2FA once and the app stores that verification on your phone.
Me: Okay, think this through. No one is going to break into my house, turn on my desktop PC, out of thin air come up with the identity of my financial institution, magically guess my username and password, and gain access to my account. Instead, you want me to put your app on my phone, which someone could easily steal, and then they will be able to see the app logo on the phone and access my account because you are sending the verification code to them. Your app is LESS safe than my desktop PC in my locked house.
IT: The app is secure because it is protected by your password.
Me: If you say the password on the app is enough security, then WHY isn’t the password on my PC enough????
Every time I bring up this issue, I get two responses. Users are “Oh, yeah, I’ve been raging against 2FA since it was invented. It makes everything take longer and if I lose access to my decive or e-mail, I’m locked out forever.”
The other response is from the tech bros who try to say these aren’t actually 2FA. It’s a No-True Scotsman fallacy. For those tech bros who can't count: sign-in plus authentication code sent to a device is 1 +1 = 2 factors. Receiving the code IS an additional security check. Two factors. One plus one equals two. That’s what the IT people tell their bosses and their corporation’s customers. But they didn’t think it through.
Then the tech bros will counter that we need a biometric device or a passkey device or whatever gee-wizz device they saw at an IT showcase or online forum. Only THAT is true 2FA they will say. Here too, they are not thinking things through. Adding a second device doubles the problem. Another device that can be stolen or lost.
The reality is that the only security needed is a strong password. If no one knows your password, you are secure. End of story, nothing else needed. But tech corporations only make money if they can sell something. They can’t sell a password, so they convince people that a password isn’t enough.