Wednesday, March 23, 2022

Two-Factor Authentication Leaves Much to Be Desired

Like most of you, I've gradually been adopting MFA or 2FA in various technologies. Most of these are via web sites. Last year I went all-in and applied it everywhere I could.

As a rule, I think 2FA is clunky at best. 

But then . . . I lost my phone.

For the most part, losing my phone was not very traumatic. I was on vacation in Mexico with my daughter and daughter-in-law. So the people I might text were with me. Email was available on my iPad. The only thing I lacked was 2FA.

Luckily, I could access my hosted desktop (Amazon Web Services desktop), which is a recognized device for many services and is exempt from constant re-verification for many services.

Rebuilding is Not A Smooth Process

Let me be clear: Nothing I went through was horrible or particularly frustrating. But it was far more tedious and annoying than it should be.

When I first started using 2FA, each service either recommended or required a specific authenticator app. I didn't know that they were all lying to me and that I could use any app. But while I was learning this, I ended up with information in Google Authenticator, some in Microsoft Authenticator, and some in Authy.

As I rebuild, I am consolidating to Authy - primarily because it is the most elegant to use across devices and is the most flexible in recovering from backup.

For most services, I had saved the backup codes. So I could get back into various services. In almost all cases, I found this process very poorly documented. And clunky. In more than one case, I had to enter one emergency backup code to request a password reset, then enter another backup code after the password reset.

This is just my speculation, but I'll bet that most of your clients (and perhaps employees) have not saved most of their 2FA backup codes. And now, as you scurry to do something about that, you'll discover that getting those codes is often impossible as they are produced only once. So to generate new codes, you have to disable 2FA (or switch to another method) and then re-enable to get new codes.

For the few services where I had not saved the backup codes, I expected a bit of a fight to regain access. In all cases, however, I found that this was a very easy process once I figured out how to access support without 2FA. Clearly, helping people recover from lost 2FA device with no backup codes is extremely common.

In the middle of this, a friend mentioned that they use Vumber ( to send SMS messages to a group email. That can make the hassles of 2FA via SMS easier.

Thankfully, about half the services were able to offer us an alternative logon by authenticating via SMS or email. I was very grateful for this since it did not require me to hassle with backup codes.

I did have a backup of my Google Authenticator, but the backup was a week old. So some changes were not recovered.

The Phone Reveals the Biggest Weakness

I reported my phone missing, got a new one, and I was . . . not back in business!

I won't go into all the details, but the process of filing the insurance claim was like an old Abbot and Costello comedy skit. To file the claim, I had to prove who I was. So they sent a code to my phone - which I didn't have. 

Again and again and again, I was asked to provide an authenticator code or information sent via SMS to a phone I did not have. This is clearly a broken system.

But the phone company was not alone. Many, many times, I was asked for 2FA in order to report a problem with my 2FA, enter a support call, or reset security. 

This is literally the biggest weakness of 2FA recovery: The process of recovery is broken. Because it requires you to access your 2FA in order to reset and gain access to 2FA, you are forced to enter a support system that costs the vendor money to provide. They will ask you for your authenticator code, but at least you can explain to the human that there's a level of absurdity in this.

Lessons (and just good ideas)

- Set up a hosted desktop or some machine you can access remotely without your phone or authenticator. Make sure you use it to log into various services so it is recognized as a known device. This will give you some access.

- The fewer authenticator apps you have, the better. Consolidate where you can.

- Backup your authenticator.

- Set up alternatives via SMS and email where possible.

- If you use 2FA with an authenticator app, save the backup codes. Be sure to save all of them in the same app (password vault) so they are secure and all in a place you can find them.

- Consider a Vumber number, or something similar, so you can receive SMS messages without an SMB device.

- Authy is the only authenticator I know of that will automatically echo a brand new 2FA setup to laptop, desktop, cell phone, and tablet (Android or IOS). If I have to use an authenticator going forward, it will be Authy.

Overall: The currently incarnation of 2FA could be a lot smoother. Sites that use it could be better documented. And you need to make sure your clients are ready for a "lost device" - because they're going to call you. The less they've prepared for a lost device, the more work there will be for you.

Personally, I am going to minimize my reliance on authenticator-based 2FA and prefer SMS and email. As long as I'm acutely aware of whether or not I have just requested a login, I believe these are secure enough for me.

Note: I understand that there are some security concerns with SMS and even more with email. But I also believe that we all need to choose a level of security that we believe is appropriate. And that generally means a balance of security and convenience. 

Your comments and feedback are welcome. Have you had a similar learning experience?


No comments:

Post a Comment

Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!