For years now, security and privacy professionals — myself included — have been urging the use of 2-factor authentication (aka 2sv, 2-step authentication, 2fa, multiple factor, etc.) systems for logging into Web and other computer-based portals. Regardless of the name, these authentication systems all leverage the same basic principle — to gain access requires “something you know” and “something you have” — broadly defined. (And by the way, the inane and insecure concept of “security questions” doesn’t satisfy the latter category!)
The fundamental point is that these systems require the provision of additional information beyond the traditional username and password pair that have long demonstrated their frail natures as used by most persons.
Even if you don’t engage in notably bad password practices like sharing them among sites or laughingly weak password choices, usernames and passwords alone are incredibly vulnerable to basic phishing attacks that attempt to convince you to enter these credentials into (often very convincing) faked login pages.
The lack of widespread adoption of 2-factor systems has been the gift that keeps on giving to crooks, scam artists, Russian dictators, and a long list of other lowlife scum. The result has been what seems like almost daily reports of system penetrations and data thefts.
Are 2-factor systems foolproof? No. There are a wide range of technologies and methodologies that can be used to implement these systems, and they vary significantly in theoretical and practical security effectiveness. But despite some critics, they all share one thing in common — they’re all much better than just a bare username and password alone!
Choices for 2-factor systems include text messages, automated voice calls, standalone authentication apps and devices, USB/NFC (e.g. FIDO U2F) crypto keys, and even printable key codes. And more.
With all of these choices, why is there so comparatively little uptake of 2-factor systems in the consumer sphere (in the corporate sphere there has been more, but not nearly enough there either).
Why don’t most users take advantage of 2-factor systems? There are two primary, interrelated reasons.
First is the psychology of the problem. Most people just don’t believe in their gut that a breach is going to happen to them — they feel it’s always going to be someone else. They just don’t want to “hassle” with anything additional to protect themselves, no matter how frequently we urge the use of 2-factor.
It’s much the same kind of “it won’t be me” reasoning that leads most people to not appropriately backup the data on their home (or often their office) systems.
Of course, once their account is breached or their disk crashes, they suddenly care very deeply about these issues, and people like me get those 3 AM calls where we have to bite our tongues to avoid saying “Well, I told you so.”
However, it would be unfair to blame the users entirely in this context, because — truth be told — many 2-factor implementations suck (that’s a computer science technical term, by the way) and are indeed a genuine hassle to use.
Some require the use of text messages (not everyone has a text message capable phone, as the Social Security Administration learned in their incompetent recent aborted attempt to require 2-factor authentication). Some require that you receive a new authentication token every time you login (overkill for most ordinary consumers) — rather than remembering that a given device has already been authenticated for a span of time. Some are slow. Some are buggy. Some screw up and lock users out of their accounts.
The bottom line is that a lousy 2-factor system is going to drive users batty.
But that’s not an excuse, because it is possible to do 2-factor in a correct and user-friendly manner, with appropriate choices for consumer and business/organization requirements.
By far the best 2-factor implementation I know of is Google’s. Their world class privacy/security teams have for years now been deploying 2-factor with the full range of choices and options I noted above. This is the way it should be done.
Yet even Google has to deal with the “it won’t happen to me” mindset syndrome on the part of users.
This is why I am now convinced that at least the major Web firms must begin moving gradually toward the mandatory use of 2-factor methods for users accessing these sites.
Just as responsible websites won’t permit a user to create an account without a password, and many attempt to prevent users from selecting incredibly weak passwords, we must start the process of requiring 2-factor use on a routine basis, both for the protection of users and of the companies that are serving them — and for the protection of society in a broader sense as well. We can no longer permit this to be simply an optional offering that vast numbers of users ignore.
This will indeed be a painful bullet to bite in some important respects. Doing 2-factor properly isn’t cheap, but it isn’t rocket science either. High quality commercial, proprietary, and open source solutions all exist. User education will be critical. There will be some user backlash to be sure. Poor quality 2-factor systems will need to be upgraded on a priority basis before the process of requiring 2-factor use can even begin.
It’s significant work, but if we care about our users (and stockholders!) we can no longer keep kicking this can down the road.
The sorry state of most user authentication systems that don’t employ 2-factor has been a bonanza for all manner of crooks and hackers, both for the ones “only” seeking financial gain and for the ones seeking to undermine democratic processes.
The deployment and required use of quality 2-factor systems won’t completely seal the door against these evil forces, but will definitely make their tasks significantly more difficult.
We can no longer accept anything less.
–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!
That’s a fine proposal for material personal information (but are there really banks that don’t support this?). However, another part of the problem is the inconvenience of excessive security for non-material information. That is, websites that require authentication for their benefit, not to secure actual user information. I have secure distinct passwords and security questions and two-factor technologies for all accounts with personal information that would harm me if compromised. I want one simple convenient login for all other accounts, but am often thwarted by some webmaster who thinks my mother’s read-only subscription is vital personal info that requires me to help her remember constrained passwords and set up text message authentication.
Poorly designed 2sv systems can create the kinds of problems you note — which is why I emphasized the need to bring these systems up to a better standard as a first step. But your argument could also be used to suggest that weak passwords are OK if the user doesn’t care. In practice, we find that even users who claim beforehand that they “don’t care” frequently end up caring a great deal when their account is compromised. It’s just no longer something that can be left as an optional security aspect — for technical, legal, and social reasons, especially for global firms that must deal with a wide array of privacy laws around the planet. As for banks, not only are there major banks that don’t offer 2sv to ordinary consumers, but others who have them and hide their existence from most users — not to mention the banks that have terrible implementations of the worst sorts.
Perhaps don’t care is too strong. The problem with a lot of websites is not so much as I don’t care as there is no compelling reason for me to want to set up another password protected “account” for something that probably would be just as adequately supported by another cookie in the browser but the implementers of the web site deemed it necessary to do a login / password with 8 character password with upper case and lower case and numerals but no punctuation etc etc etc. They deem it important we don’t. We just want to visit them once. I usually just enter gibberish, get what I came for. If I ever return I just use the recover password feature.
The small Yubikey 4 Nano seems to be a compelling choice but at $40 US it is currently just a bit too expensive for consumers to adopt. It is intended to be a plug in and forget until needed solution, so you need one per system you use.
It should be noted however that most U2F keys can support multiple unrelated services/accounts — and keys that are designed to be portable (e.g., clipped onto a keyring) certainly do exist.