3 Risks and Downsides to Two-Factor Authentication

Joel Lee 12-10-2017

Most people are lazy and use weak passwords that are easy to break 7 Password Mistakes That Will Likely Get You Hacked The worst passwords of 2015 have been released, and they're quite worrying. But they show that it's absolutely critical to strengthen your weak passwords, with just a few simple tweaks. Read More . But strong passwords aren’t perfect either: they can be keylogged, intercepted, or even leaked in major data breaches Password Leaks Are Happening Now: Here's How to Protect Yourself Password leaks happen all the time, and there's a chance one of your accounts will be involved, if it hasn't happened already. So what can you do to keep your accounts safe? Read More .


That’s why two-factor authentication has exploded in popularity over the last decade. A single password is too brittle for true security, and adding a second layer of defense will keep your accounts better secured.

But two-factor authentication isn’t perfect. In fact, it can come around to bite you in the rear if you aren’t careful. Here are a few overlooked downsides.

Types of Authentication Factors

Multi-factor authentication is a practice that requires you to present multiple bits of evidence (“factors”) that each authenticate your identity. If you don’t have all the authentication factors, then the system won’t grant you access to your account.

Two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More is when the system only requires two bits of evidence.

There are all kinds of authentication factors that can be used as part of a multi-factor system, but they all tend to fall into three broad groups:

  • Knowledge factor (“something you know”): The system accepts you if you show that you know a certain bit of information. Examples include PINs, answers to security questions, tax return details, etc.
  • Possession factor (“something you have”): The system accepts you if you can prove that you have a certain physical device on you. Examples include SMS codes, auth apps, USB keys, wireless tags, card readers, etc.
  • Inherence factor (“something you are”): The system accepts you through the use of a biometric comparison. Examples include fingerprint scanners, retina scanners, voice recognition, etc.

These all sound good at a glance. But you may have already spotted some of the issues that could arise while using these for identity verification.

1. Factors Can Be Lost

The simple truth is, there is no guarantee that your authentication factors will be available when you need them. Most of the time they will, but it only takes one mistake to lock you out of your accounts.

Imagine you have SMS codes as your second authentication factor. It works just fine for day-to-day checking of bank accounts and what not, but then you’re hit with a massive hurricane and left without electricity for days or weeks.

Or an earthquake bursts your pipes, submerging your home and phone. Or you forget your phone on a dresser in your rush to evacuate an approaching wildfire… or you accidentally catch ransomware on your phone 12 Tools You Can Use to Help Beat Ransomware One of the biggest issues facing computer users is ransomware. And while a ransomware infection is notoriously difficult to fight, it isn't impossible. See how these tools can help. Read More and it’s rendered inaccessible. Alternatively, maybe you just drop your phone.


3 Risks and Downsides to Two-Factor Authentication two factor usb keys

Relying on a USB key as a second factor How to Use a USB Key to Deal With Security Threats Aren't USB flash drives redundant? We don't think so. There are many ways in which a USB drive can still come in handy, including keeping your computer secure. Here's how. Read More  is risky. You may misplace it or accidentally run it through the wash. If you rely on knowledge factors like PINs, there’s always a chance that you’ll forget what it is. Biometric factors aren’t perfect either: eyes and fingers can be lost in accidents.

Victims of Hurricanes Harvey and Irma found themselves locked out of their own accounts. Why? Because they had no way to charge their phones. No phones equals no authentication. No authentication equals no access.

While account recovery is often possible, it can take time and is likely to be a huge headache. If you have dozens of accounts protected with a single factor and you lose that factor, then you need to recover all of those accounts. Yikes.


Certain authentication methods fortunately have ways around this Can Two-Step Verification Be Less Irritating? Four Secret Hacks Guaranteed to Improve Security Do you want bullet-proof account security? I highly suggest enabling what's called "two-factor" authentication. Read More . For example, some services offer one-time backup codes in case factors are lost, in which case you should absolutely save these codes somewhere.

2. False Sense of Security

While two-factor authentication does provide added security, the degree of this extra security is often exaggerated. Some people may even tell you that a two-factor-protected account is nigh unhackable, but that’s simply untrue.

Two-factor authentication is far from perfect.

Take recovery, for example. If you get locked out of a service because you lost a factor, aren’t you essentially in the same position as a hacker trying to gain access to your account? If you can reset account access without a factor, then you can be sure that hackers can do the same thing too.


In fact, account recovery options often make two-factor authentication pointless, which is why companies like Apple have moved away from most recovery methods. The bad news? Without recovery options, your account can be permanently lost.

3 Risks and Downsides to Two-Factor Authentication two factor phone pen

And then there are services that offer two-factor authentication but don’t fully commit to it, which puts account security out of your hands. For example, PayPal provides a second factor called “PayPal Security Key,” but back in 2014, as documented by Ian Dunn, it could be completely bypassed with zero effort.

Weak points like this exist across services, even big name ones. Again in 2014, hackers were able to break through two-factor protection Two-Factor Authentication Hacked: Why You Shouldn't Panic Read More and gain access to user accounts for Google, Instagram, Amazon, Apple, among others.

All of this simply means: you can do everything right with two-factor authentication and still have your account compromised. Whatever sense of security it brings is a delusion.

3. It Can Be Turned Against You

Although two-factor authentication is meant to keep hackers out of your accounts, the reverse can happen as well: hackers may set up or reconfigure two-factor authentication to keep you out of your own accounts.

You can read about a Redditor’s first-hand experience with this: a hacker broke into his Apple account, rang up hundreds of dollars in purchases, then tied two-factor authentication with one of the hacker’s own devices. Despite being the account’s true owner, the Redditor could do nothing about it.

3 Risks and Downsides to Two-Factor Authentication two factor apple account

So in a sense, while two-factor authentication may not be effective enough at securing accounts (which we explored in Risk #2), it can be too effective.

As services continue to strengthen their two-factor protocols and make account recovery even more difficult, it becomes increasingly imperative that you set up two-factor authentication on your important accounts.

Do it now before a hacker does it for you.

What Do You Think?

Another big downside to two-factor authentication is the inconvenience of it. It’s only an added step, but when you’re logging into accounts on a weekly or daily basis, those extra steps add up. I think the inconvenience is worth it.

It would be easy to point at these risks and downsides as excuses to forgo two-factor authentication altogether, but I say keep using it (or start using it if you haven’t already). Just be aware of how it might backfire, and take the appropriate steps to avoid such issues.

Do you use two-factor authentication? Whether yes or no, tell us why in the comments below! And if you have any other risks to consider, share those too!

Related topics: Online Security, Two-Factor Authentication.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. dragonmouth
    January 17, 2020 at 2:01 pm

    "Another big downside to two-factor authentication is the inconvenience of it."
    And therein lies the biggest problem. Most people are more concerned about their convenience than they are about their security, as evidenced by the fact that they are using smartphones rather than the more secure flip phones or landlines. People DO NOT want to set up effective security because it makes easy use of a device hard. NEWS FLASH! - effective security is supposed to make access inconvenient.

    The price of convenience is security and privacy.

  2. Thaddeus Avery
    April 7, 2018 at 6:35 pm

    I've come to loathe 2FA. I've used it for most of my accounts since school and before it was even popular. In all these years, the only thing it's ever done for me is cause headaches. I'm constantly being locked out of my own accounts after major updates or when I switch phone carriers or change phone #s and forget to update whomever I have 2FA with.

    And it's true that you can forget your device and therefore be locked out of accounts. I have two phones--a personal and work phone. I traveled to China with my work phone & subsequently for SIX MONTHS was locked out of most of my personal accounts b/c 2FA was enabled back home in the States on my personal phone. I've now disabled 2FA on my personal phone accounts and the phone itself and use 2FA only for my banking accounts and cloud storage--in which case I've switched from my phone as a unique 2FA device to either email or universally downloadable apps like Google Authenticator (which I can download to ANY cell phone to get a valid key).

    2FA overall doesn't make me feel more secure. It makes me feel threatened by the technology itself.

  3. Zday1
    October 15, 2017 at 8:57 pm

    While I understand how two-factor authentication can be useful, I also see just as many risks with it, one of which was not mentioned in this article. That being the very real possibility that your phone is lost and/or stolen.

    In this scenario, all's a thief has to do is bypass the boot protocols of your phone to get past the main security screen, which is possible on many models. Once they do that, it's easy pickings for any capable hacker to just start perusing your personal information on your phone---which puts them in a perfect position to gain access via two-factor authentication.

    This should be concerning to anyone with a phone, because, lets face it, in today's society, times are tough, making criminals even more desperate and determined to find a way to infiltrate and exploit. This also makes things like the black-market even more appealing to would-be passersby, whom might not initially have criminal inclinations, however, with the thought that one could make a fast buck from selling a found phone, that really puts things into perspective.

    Consider this too, most average users, while likely aware of the necessity to implement security software on their phones, also tend to lack the full knowledge required to properly configure such security, and in many cases, are often left still quite vulnerable because of it.

    For example, you might have a security application on your phone which has anti-theft protection, however, many of these applications require the user to go through a series of sometimes complicated steps with vague instruction provided, in order to set up the anti-theft protection feature.

    Some give up because they're discouraged by this. Others, think they've done everything right, but because of the software-producers lack of attention to the fact that their instruction-set is far too technically-worded for the average user to understand, these particular users usually end up overlooking or misunderstanding something.

    Then of course, you got the other problem of the fact that every phone manufacturer has a different time-table for releasing the most current OS updates. This can also cause problems for the software applications being used on the phone.

    In my opinion, there are just far too many variables that could go wrong for the average end-user with sparse Security and OS software knowledge, to be able to put their implicit trust in something as trivial as two-factor authentication can be.

    And this problem is made worse by the simple fact that software vendors have historically snubbed the average end users over this particular issue, and rather than making it a main priority of application development, to actually include Clear and Concise instructions and help files, the vendors would rather balk at the issue and pretend that its of little or no consequence.

    This is akin to the super-geek calling the naive customer naive, while at the same time never once throwing them a bone, for the sake of their own selfish pride. Granted, not everyone in IT is like this, however, it is a problem and to a larger extent, a mind-set that still carries to the software vendor market, including that of security software. Add to that the growing lack of full customer support and interaction between these vendors and end users, and well, therein lies quite a disparity, to say the least.

    Suffice to say, there's more to it than meets the eye, and in this case, there's still much more not being mentioned here that people in general should still definitely pay more than the usual attention to.

    All the high-tech biometric gadgets and smart-home devices may be full of convenient features, but they are also rife with many security flaws too. If your phone gets stolen, well, maybe you have a chance at getting it back, but if you lose your phone, that becomes far less likely. Unless you have one of those lo-jack-style applications tied to your phone, you can pretty much kiss it good-bye, along with any two-factor authentication you once enjoyed on it.

    Remember this too, thieves are very clever and if they've already worked on gaining access to your account via a single factor, such as using your (PII), once they have access to the phone you use for two-factor authentication, it's all over. All they need to do is contact the institution with your credentials and now they've assumed your identity without even breaking a sweat.

    Much like cloud-computing, two-factor authentication can definitely provide a false sense of security, and in all fairness, one that is also lacking many safeguards.

    One of the most important pieces of advise I can give is to be scrupulous and don't bank on your phone, literally or figuratively-------Just be smart about the times when you do go online and and stop sharing all your information with everyone. Also, you don't have to sign up for every account registration that presents that opportunity to you. The point being-------the more of your personal information you share online, the more of you there is on the net to compromise!

  4. Zhong
    October 14, 2017 at 11:39 pm

    2TF is useful on making sure that others aren't accessing your account from another location and it would be nice to limit your login to certain IP: so that it hackers need to infiltrate your network in order to get begin hacking your device.

  5. ReadandShare
    October 12, 2017 at 8:47 pm

    I've never used 2FA and I doubt I ever will. I travel all over the world. Last thing I want is to have my phone / wallet stolen and then get locked out of my important online accounts!

    I think the risk of NOT using 2FA is pretty minimal. Think about it -- ALL bank and email websites (and their apps) this day and age feature HTTPS encryption starting right from their log in page -- so no one can tell what they are just from sniffing public WiFi's. Guard your ID's and passwords carefully -- never reuse them on multiple sites -- and you should be pretty OK.

    • dragonmouth
      January 17, 2020 at 2:13 pm

      Good advice, as far as it goes, and totally useless. Hundreds of millions of records are stolen annually. Are hundreds of millions of individual accounts secured so poorly as to allow data theft on such a scale? No. Those data breaches occur on bank and email websites protected with HTTPS. Those data breaches occur on corporate databases. An individual can bulletproof his/her account but has absolutely no way to make corporate security better.