3 Risks and Downsides to Two-Factor Authentication
That’s why two-factor authentication has exploded in popularity over the last decade. A single password is too brittle for true security, and adding a second layer of defense will keep your accounts better secured.
But two-factor authentication isn’t perfect. In fact, it can come around to bite you in the rear if you aren’t careful. Here are a few overlooked downsides.
Types of Authentication Factors
Multi-factor authentication is a practice that requires you to present multiple bits of evidence (“factors”) that each authenticate your identity. If you don’t have all the authentication factors, then the system won’t grant you access to your account.
Two-factor authentication is when the system only requires two bits of evidence.
There are all kinds of authentication factors that can be used as part of a multi-factor system, but they all tend to fall into three broad groups:
- Knowledge factor (“something you know”): The system accepts you if you show that you know a certain bit of information. Examples include PINs, answers to security questions, tax return details, etc.
- Possession factor (“something you have”): The system accepts you if you can prove that you have a certain physical device on you. Examples include SMS codes, auth apps, USB keys, wireless tags, card readers, etc.
- Inherence factor (“something you are”): The system accepts you through the use of a biometric comparison. Examples include fingerprint scanners, retina scanners, voice recognition, etc.
These all sound good at a glance. But you may have already spotted some of the issues that could arise while using these for identity verification.
1. Factors Can Be Lost
The simple truth is, there is no guarantee that your authentication factors will be available when you need them. Most of the time they will, but it only takes one mistake to lock you out of your accounts.
Imagine you have SMS codes as your second authentication factor. It works just fine for day-to-day checking of bank accounts and what not, but then you’re hit with a massive hurricane and left without electricity for days or weeks.
Or an earthquake bursts your pipes, submerging your home and phone. Or you forget your phone on a dresser in your rush to evacuate an approaching wildfire… or you accidentally catch ransomware on your phone and it’s rendered inaccessible. Alternatively, maybe you just drop your phone.
Relying on a USB key as a second factor is risky. You may misplace it or accidentally run it through the wash. If you rely on knowledge factors like PINs, there’s always a chance that you’ll forget what it is. Biometric factors aren’t perfect either: eyes and fingers can be lost in accidents.
Victims of Hurricanes Harvey and Irma found themselves locked out of their own accounts. Why? Because they had no way to charge their phones. No phones equals no authentication. No authentication equals no access.
While account recovery is often possible, it can take time and is likely to be a huge headache. If you have dozens of accounts protected with a single factor and you lose that factor, then you need to recover all of those accounts. Yikes.
Certain authentication methods fortunately have ways around this . For example, some services offer one-time backup codes in case factors are lost, in which case you should absolutely save these codes somewhere.
2. False Sense of Security
While two-factor authentication does provide added security, the degree of this extra security is often exaggerated. Some people may even tell you that a two-factor-protected account is nigh unhackable, but that’s simply untrue.
Two-factor authentication is far from perfect.
Take recovery, for example. If you get locked out of a service because you lost a factor, aren’t you essentially in the same position as a hacker trying to gain access to your account? If you can reset account access without a factor, then you can be sure that hackers can do the same thing too.
In fact, account recovery options often make two-factor authentication pointless, which is why companies like Apple have moved away from most recovery methods. The bad news? Without recovery options, your account can be permanently lost.
And then there are services that offer two-factor authentication but don’t fully commit to it, which puts account security out of your hands. For example, PayPal provides a second factor called “PayPal Security Key,” but back in 2014, as documented by Ian Dunn, it could be completely bypassed with zero effort.
Weak points like this exist across services, even big name ones. Again in 2014, hackers were able to break through two-factor protection and gain access to user accounts for Google, Instagram, Amazon, Apple, among others.
All of this simply means: you can do everything right with two-factor authentication and still have your account compromised. Whatever sense of security it brings is a delusion.
3. It Can Be Turned Against You
Although two-factor authentication is meant to keep hackers out of your accounts, the reverse can happen as well: hackers may set up or reconfigure two-factor authentication to keep you out of your own accounts.
You can read about a Redditor’s first-hand experience with this: a hacker broke into his Apple account, rang up hundreds of dollars in purchases, then tied two-factor authentication with one of the hacker’s own devices. Despite being the account’s true owner, the Redditor could do nothing about it.
So in a sense, while two-factor authentication may not be effective enough at securing accounts (which we explored in Risk #2), it can be too effective.
As services continue to strengthen their two-factor protocols and make account recovery even more difficult, it becomes increasingly imperative that you set up two-factor authentication on your important accounts.
Do it now before a hacker does it for you.
What Do You Think?
Another big downside to two-factor authentication is the inconvenience of it. It’s only an added step, but when you’re logging into accounts on a weekly or daily basis, those extra steps add up. I think the inconvenience is worth it.
It would be easy to point at these risks and downsides as excuses to forgo two-factor authentication altogether, but I say keep using it (or start using it if you haven’t already). Just be aware of how it might backfire, and take the appropriate steps to avoid such issues.
Do you use two-factor authentication? Whether yes or no, tell us why in the comments below! And if you have any other risks to consider, share those too!