Lately there has a been a surge in services providing two-factor authentication (2FA). Google, Apple, many financial institutions and e-mail vendors have started to offer two-factor authentication to its users.
Multi-factor authentication assumes that a password is not enough to log in to an account. A device that needs to be physically held by the user, a mobile phone for example, is also required to log in. A protocol only known between the server and the device provides a “second opinion” that the person logging in is in fact the actual user.
There is more than enough material on the Internet explaining how 2FA works and the general cost-benefit analysis. This article provides a meta-analysis: is 2FA actually solving anything at all?
Wikipedia.org’s article on 2FA correctly identifies an unsolved problem that 2FA introduces, particularly if a mobile phone is the physical device. The phone becomes a single point of failure:
- Modern smart phones are used both for browsing email and for receiving SMS. Email is usually always logged in. So if the phone is lost or stolen, all accounts for which the email is the key can be hacked as the phone can receive the second factor. So smart phones combine the two factors into one factor.
- Mobile phones can be stolen, potentially allowing the thief to gain access into the user’s accounts.
Let’s go beyond what the typical cost-benefit analysis ignores.
There are two bigger problems that 2FA doesn’t solve: careless users and careless developers.
Vigilant users are already using very complex passwords, securing their phone, hiding their PIN when using a bank machine, not installing suspicious software on their devices, and not trusting all their security and personal information to third-parties.
The usual targets of small-scale identity theft are careless users. These users likely have weak passwords (John Podesta’s “passw0rd”, e.g.), are prone to phishing, and have malware on their devices. 2FA won’t stop keyloggers from getting their 2FA codes and beating careless users to the log-in. All their security and personal information are scattered and saved in so many locations including their phone, their social media accounts, publicly accessed web browsers, e-mails, and scraps of paper. The exposed attack surface is so wide that it is not a question of “if”, but “when” they will be hacked. You can’t cure irresponsibility with 2FA.
However, careless users are low hanging fruit. The bigger targets are careless developers. It is analogous to a mugging versus a giant bank heist. Databases of sensitive information on hundreds of millions of users is the holy grail for digital thieves (Equifax, e.g.). Cracks in the code allow teams of professionals to break in to large organizations and escape with valuables without a trace.
Vigilant users can’t fully protect themselves from careless developers and can only minimize the damage. If mobile devices are used as a second factor for 2FA, it may even increase the exposed attack surface. So what does a vigilant user do?
Assume everything you put on the Internet can be exposed and will be exposed: e-mails, private messages, and everything you post on social media. As already mentioned in the previous article about the Equifax hack, there’s not much you can do about information leaked by careless financial institutions and government agencies. But the more you put out there voluntarily on your own, particularly via social media, the more incentive you provide digital thieves and extortionists to come after you.
* * *