Is Two-Factor Authentication Really a Good Idea?
Lately, it seems like almost every website wants you to enable "2FA" or Two-Factor Authentication. Either they use the old school email verification for certain actions, or they text you a code, or use an app to do the same thing.
Is this really a good idea though?
How often do you drop your phone? Is your screen all cracked and broken? We all buy these shiny fancy phones, then put them in big rubber cases, because we fucking know we're going to drop them, and probably break them eventually.
This article from 2015 says that 50 percent of people have experienced a cracked or broken screen and 21% have a cracked screen "right now". I bet that number has risen since 2015!
I just recently used a cracked phone for almost a year because I was trying to put off buying a new one, and it wasn't worth repairing because it would probably cost just as much. I've broken quite a few devices, and I'm not even as bad as most people. Though I will admit that sometimes I'm not as careful as I should be.
While we probably don't want to think about the travesty if we should lose our phone or get it stolen, it's a possibility.
One of my friends left her phone on the front porch by accident once, and someone tried to blackmail her to get it back. She didn't give in and ended up calling the cell phone company and the police. Guess she didn't have any nudes on the phone, or didn't care. :P
We can't rely on always having our phone!
Often the sites that insist the most on you having 2FA enabled are the ones that are related to some financial activity. Just what are you supposed to do when you lose your cell phone or it breaks or just stops working one day? Could you access your crypto? What other sites try to force you to use 2FA? What happens when even more sites rely on these supposedly "more secure" 2FA services?
I'm moving towards being more reliant on crypto myself, and I'm faced with the reality that I may have to gamble on always having my phone when it comes to certain sites and services. One of these sites is Binance, which I have recently switched to. What happens when I lose my phone? Will a large chunk of my trading portfolio be locked up until I get a new device? How hard will it be to switch to a new device when I get it?
The reality is that likely I will have to diversify my portfolio against services that rely on my cell phone or another portable device, because I can't rely on it.
While 2FA does prove that you have access to more than one service of the account owner, it means that you are less likely to be able to use the service when something goes wrong. If something were to go wrong while you are traveling, it might be even more of a hassle, or possibly even a travesty, as we are becoming more and more reliant on digital services. Your bag might contain your phone and your computer, and your entire digital life.
Thankfully, I realize this flaw, so I can plan around it.
(source)
Two-factor authentication is a great idea, the implementation is what needs work. Even so, not using it is pretty dumb to be honest. If you're worried about losing your phone, why not back up your 2FA secrets? When setting it up, you're given a code to write down. Stick that in an encrypted file or just keep it locked up in a secret and secure location, and it's all good.
The implementation is what needs work. I agree that relying on a mobile phone is definitely a downside. You can get those dongles that plug in and send the code as a USB keyboard when you press the button (one brand name is Yubikey).
The U2F dongles are even cooler, but there's not as much support for them (though some are backward compatible). Unlike TOTP (time-based one time password; what most 2FA codes are), they don't require a shared secret between your device and their server. This means that even if the login server is compromised, your 2FA credential is not.
Also, even though I don't advise it, if you really just want to get around the 2FA requirement, and you are already reasonably certain that your endpoint security is airtight (or just don't care?)... you could just run an RFC 6238-compliant program right on your computer.
2FA is good though. It's definitely tedious but I'd suggest you stick with it. You don't want your password being the only thing preventing an attacker from cleaning you out.