OK SO here’s a topic that willprobably result in massive discussion.
Many folks here seem to think that 2FA is a the bees knees with regard to ensuring safe on-line use.
Here are my issues with 2FA.
I don’t do email on my phone so anytime I am forced into 2FA there is no way for me to share my 2Fa code to my desktop for quick accurate entry.
With a good strong password, kept secure with none shared among sites why does 2FA provide anything more? Esp. if for the critical financial sites I have alerts set up to notify me of potentially fraudelent charges?
It seems that many folks store their tokens or 2FA codes on their devices. Why is that any good at all?
I will confess that since I never use 2FA except where mandated I have zero experience but to me it seems like a lot of hassle and effort for very little gain over a good password not stored on-line.
2FA is nothing to do with email. It’s delivered by several means, including SMS (not great, but better than nothing) and most usefully of all, an app on your phone, computer, even watch.
It’s an extra factor. If your password gets stolen or (now rarely) exposed, then it’s useless without the 2FA.
Sure, if someone steals your phone and your phone has your 2FAs on it, then it’s game over. But… there is usually a third factor in play — namely the app you store your 2FA in can have its own password and/or biometric access.
Like all things, there are ifs and buts and caveats, but in general it is more secure to have 2FA than not.
I agree that if you have strong, well-constructed, well-protected, and unique passwords, then 2FA is not essential on personal devices.
In a corporate context, where it is almost certain that some portion of the population will not follow good password practices, then enforced 2FA for logging into corporate devices and websites is important.
Theoretically it’s built upon the security model that there are three possible components to good security:
Something you know (a password)
Something you have (a device)
Something you are (biometrics)
Hackers from China that manage to guess your huge 1Password monstrosity of a password won’t be able to access your physical phone to get the code, so you’re theoretically safe. And given what most people use for passwords, it’s not a horrible thing.
They also won’t be able to get your thumbprint to unlock your phone to get that info, even if they somehow guess your PIN.
In practice, however, it becomes yet another thing for people to lose access to and get irrevocably locked out. I have a friend who can’t get into his (yes, free, I understand that can matter here) Google account because his phone broke, and the last number he had on file with them was recycled by a prepaid carrier long ago. He has access to the backup email, but they refuse to use that. Google will only send the code to that specific device, or call that specific phone number - and there’s no way into the account without it.
For most end users, I’m not a fan of 2FA. Especially for free accounts at places that provide zero support. It causes as many problems as it solves.
Tangentially-related, this is one of the main reasons I hate 1Passwords forcing of cloud sync. It effectively creates a high-stakes second factor that can be lost, destroyed, or otherwise rendered unavailable…at which point one would be completely locked out of their account, forever.
Or maybe put more simply, the fact that something is objectively more secure cuts both ways. It’s harder for everybody to get into, including you. And if you aren’t taking the time to think through every last little detail, you can get locked out much more easily.
For your key online information, I consider it to be a minimum requirement. Passwords can be compromised and shared easily online and without 2FA anyone who has that information could log into your account.
If you have Handoff enabled on your iphone and Mac, then copying the 2FA code on your phone will allow you to paste it on your Mac.
The most commonly used 2FA variant is TOTP: Time-based One-Time Passwords (usually 6 digits changing every 30 seconds).
Both “time-based” and “one-time” are nice when malware on your Mac (key logger / screen capture) steals your credentials (username, password, and possible OTP). The hackers will have a very limited amount of time to use all three to log in somewhere, pretending to be you, because the OTP will become invalid “soon”.
What’s the newish secure SignIn thing companies are providing? I know Google is one, but there are others.
Used it to secure another account a while back.
I think it’s different from SSO.
You could text yourself. That might require iCloud, which I know you don’t use. As others have said, 1Password can generate 2FA codes, and I think it might even be in keychain now.
Bad actors don’t necessarily need your password, but in some cases just the hash of your password. MD5 was used for hashes, until shown to be vulnerable, as was SHA-1.
That makes the presumption that I consider my phone to be secure. I don’t. No watch so when I want to enble any sort of extra stuff in the places that require it the passcode comes via email. Which means I can only acces them from my main computer where my email is.
OK but here are a few major issues. Devices die, break and get stepped on by sheep. Biometrics is notoriously unreliable. I can’t even get any of the fingerprint access stuff to work on any machine I’ve ever owned. I have problems getting decent sets of fingerprints made when I need them for security work. It usually takes several times to get a full set that can be properly matched to my records and that’s even with the newer digital fingerprint systems. Eye retina ID can be used but can be affected by allergies and other issues. No consumer level eye retina ID system that I know of.
Several of my clients who are on M365 are using Microsoft Authenticator, and I use it for my personal Office subscription. MS Authenticator replaced SecureIDs for these clients.
Any chance there is a web interface to your email? I use Hover email downloaded via POP3 to my Mac. But when (infrequently) I need access to email on my phone, I use Hover’s webmail interface. It’s kinda awkward but it works for me.
As long as you use a different, generated strong and long password for every account the chances your password will be hacked might be low. The problem is that your password needs to be evaluated by the ‘other side’ and by only relying on a password your security is also limited by the weak points which are not in your control.
Personally I use MFA wherever I can, and for many applications like for example financial institutions (banks, insurance, government, etc.) having an extra factor for authentication is mandatory.
For some accounts I don’t even have a password, the account is password-less and I only use an authenticator app on my phone.
Yeah, I agree about the faults with the existing implementations of those three factors. I already mentioned my friend whose device got destroyed and effectively permanently locked him out of his Gmail.
I would suggest that the faults in our existing implementations of these things don’t mean that the three-factor model itself is flawed - but it definitely raises questions about the requirements we put on the average user in light of our inability to implement those things properly.
The only 2FA systems that make sense to me are systems that have a solid, robust human-based backup to sort things out. For example, I know some investment advisors that have a 2FA hardware key that generates numbers every 60 seconds or so. When they authenticate, they have to give the number from the key. They’re accessing millions or billions of dollars in customer accounts, so it makes sense. But the other key is that if their device breaks, they have a phone number where they talk to a human that can get them a replacement device.
2FA for things like Gmail where the “support” is “sorry, you’re screwed” is a Bad Thing. And requiring it for every single user of a system, no matter what the sensitivity of the data involved, seems ridiculous to me.
Will have to disagree, passwords can get compromised for reasons entirely outside of your control. If the attacker has compromised the password and you don’t have 2FA, they have control of your account.
If your account supports real 2FA use it.
FWIW the Authy the Twillo 2FA tool allows me to copy the token to my clipboard. Given the magic of the apple clipboard it’s on my Mac before it has time to expire. It as is painless as being secure will get.
FWIW There is a specific way to eliminate this problem. Whenever I enable 2FA on an account, I’m offered backup code(s). I store the backup codes in the notes field of lastpass.
Also Authy will allow you store a backup of it. (Arguably weakening the security).
It looks like both Apple & Google support those, but I’m pretty sure they were never “offered” in a meaningful way (i.e. “during the process of enabling it it lets you download the codes”).