Confused about implementations of two-factor authentication

I understand the idea of and the need for two-factor authentication. But I’m unable to understand the point of using an authenticator app with the accounts that I use. For some accounts the use of a phone number is required even after setting up an authenticator app. In some cases a two-factor authentication method of sorts is implemented through email. Below, I’ll use as examples accounts for Amazon, Apple and Nintendo.

Amazon supports the use of an authenticator app, but doesn’t allow removal of the phone number associated with the account. Verification codes can be requested through use of the phone number after installing an authenticator app. This retains the vulnerability to weaknesses in the use of a SIM card.

Apple also allows the use of a “trusted phone number” as an alternative to using a trusted device.

Nintendo supports the use of an app, but also sends verification emails when two-factor authentication is not enabled. To me, this seems as the better way since I can enjoy the additional protection without an increase in complexity in the form of an additional authenticator app. I can also log in to the account as long as I’m able to access the email account associated with the Nintendo account. An authenticator app would run on a single device, but an email account can be accessed through many devices.

Just to be sure: I am not railing against the idea of two-factor authentication or any of the implementations as such. I genuinely do not understand how to think of a proper “model” to using two-factor authentication. As it is, I’m thinking of not bothering with the use of apps for myself or the family and using the text message or email methods many of the services guide me to use anyway. My question then is: am I doing it wrong or is two-factor authentication a valid idea suffering from lack of a powerful enough actor to force its’ proper implementation?

Welcome @Kettunen It looks like you have a good grasp of the situation. Security and convenience are at opposite ends of a solution. As you increase one you decrease the other and most businesses try to be as secure as possible, without creating a nightmare customer support problem. But there is a better solution on the horizon. Passkeys.

Passkeys: the future of authentication in 1Password

And we recently had a discussion about them.

Google, Apple and Microsoft: A password-free future is in the making (FIDO/Passkeys) - Software - MPU Talk (macpowerusers.com)

Personally I wouldn’t discount two factor (2FA) it is the best current solution. So why not look into Passkeys and tell us what you think about them?

You’re not doing it wrong.

The apps are the most secure method. If you don’t have the device with the app running you don’t have the code. Email can be hacked (people’s passwords aren’t that good) and phones (SMS) can be spoofed. Authenticator apps exist because, outside of single purpose hardware devices, they’re the most secure.

But people aren’t good at security and companies have to offer an easier way AND a fallback method when something goes wrong. Thus you get SMS codes, email codes, and even security questions as a backup.

You’re absolutely right that if your account is accessible using less secure methods, there’s no advantage to you using less convenient (even if more secure) methods unless you just want to. If a hacker can get into your account with an SMS code, the fact that you’re using an authenticator app doesn’t make your account any more secure.

Fwiw, I agree with your entire comment.

For the record a reason for why I want to is that my 2FA app is way faster than waiting for the SMS send server to actually send the SMS, and then for my carrier to pass it on to me.

Phone numbers are also used as a way to identify/track you. I never give out my mobile phone number to these services. In the US, I believe all of these numbers are listed/public.

Interesting, I have the contrary experience.
SMS is coming within seconds, AND it is recognized by Apple, so I simply have to wait a few seconds, and can simply insert the code that the OS has got from the SMS.
If I first have to find the Authenticator App, than to get a code from this, and to manually copy it, or remember it and write it into the field where it is required, always took way longer than the SMS way.
But this perhaps depends on the quality of the SMS-Service Provider?

They aren’t listed but many/most don’t remain anonymous for long. I give my mobile number (I have no landline) to my doctor, bank, insurance company, etc. and my Google Voice number to just about everyone else.

So fewer companies have my primary number but that doesn’t stop the USPS from delivering 10+ pieces of analog spam to my physical mailbox each week.

I guess I was thinking about my Mac at the time. Your experience is probably how I feel on an iPhone. It’s a wash on iPad.

Me too!
20 more characters…

I think it does. Some of my TFA SMS messages arrive in seconds, others can take up to 30 seconds. While that is annoying, what is worse is that I’ve got a few providers whose TFA code is not recognized by Apple’s systems in Messages. For those I need to switch to Messages, right-click (or long press) on the code to copy it (it’s usually buried in a lot of text), then switch back to the place where I can paste the code. The long press on the iPhone feels imprecise, and I get annoyed when I have to do it.

Whereas, If I’m logging in on my iPhone, I likely have already opened 1Password to get the password (if it didn’t already pop-up above the keyboard). So swiping back to 1Password to get the TFA code is easy. And a single tap in 1Password on the code automatically copies it, ready to be pasted when I switch back to where it needs to be entered (no tedious selection or long-pressing and hoping it works). That’s the advantage of having the password and authenticator in the same app. Less secure, but easier to use.

Of course, the absolute worst are the systems that require using email to get the code. I’m amazed that I still run into these.

As you’ve seen, there’s a lot of variety in how companies choose to implement 2FA and what options they provide. Generally speaking, the advice you’ll get from security professionals is that:

• 2FA is better than no 2FA, but
• Token-based 2FA through an app is always preferable to SMS.

SMS is an old and inherently insecure protocol that’s vulnerable to a number of well-known exploits (SIM swapping, etc.) that can not only negate the value of using 2FA but, in the worst case, can leave you more vulnerable than you were before. So I avoid providing my phone number at all if I can.

As Margaret has pointed out, one way to minimize the hassle that gets added when you enable 2FA is to choose a password manager that lets you generate your 2FA codes within the app (and, ideally, sync them across your devices so you can access them whenever you need them).

As of now, most of the platform password management solutions like Apple Keychain allow this. And if you need more robust functionality or that seamless cross-platform sync/consistency you can turn to a third party.

This helps because it means when you sign in, you can use autofill to not only enter your username/password, but also the 2FA code.

For example, this is what it looks like when I go to sign in to a website or app where I have 2FA enabled. I’m doing this on my Mac since that was the example given of where it’s inconvenient:

To me, this process feels pretty seamless. It only takes a couple of clicks/taps, and I don’t have to switch apps or copy/paste anything. But I get the peace of mind of knowing my account is more protected.

Technically speaking, this approach goes from being true “two factor” authentication to “two step” authentication, but that remains more secure than using neither. The security benefit of using a one-time password in this way comes from the temporary nature of the codes in conjunction with your password, not the second-factorness of the device(s) you retrieve that code from.

Put a different way, if you think of a spectrum of security with simple password authentication on one side and full two-factor authentication on the other, two-step verification is a happy middle ground that offers the best balance of security & convenience for most people in most situations.

“Listed” may be the wrong term. I did some consulting for a company that has an enterprise SMS messaging platform and learned this working with them. Again, this is specific to the US.

It’s been my understanding that one reason the U.S. chose to not publish mobile phone numbers is because we have to pay for both placing a call and receiving calls.

In most parts of the world users only pay for placing a call.