Sure, cybercrime is all pervasive nowadays and with ever more of us increasingly interacting with the world digitally security is paramount. So we all are used to Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) as far as for example and probably most importantly our online banking is concerned. And don’t get me wrong: Of course I want to have my privacy protected and I wouldn’t want to miss the advantages of being able to pay my bills and transfer funds anytime and anywhere and from any device.
But sometimes these 2FAs and MFAs are really a nuisance! Have you ever tried to log onto a site where you receive a text message with a code to authenticate, but then realise that you have a bad network connection – and that the code, in any case, is only valid for a very short period of time (we’re talking minutes here…)? By the way the SS7 protocol still used by many mobile phone companies is far from foolproof since text messages can be intercepted (an interesting article on mobile phone security can be found here).
Or the same with codes sent to your email address: Emails can take a while to hit your inbox, and by the time you receive the mail the code has already expired (not to mention the instances the mail ends-up in the Junk folder, which you obviously forget to check)? Or when you need to scan a QR-Code to access a service on your preferred device – but only have at that moment this single device to hand? Or when you’re being asked to reauthenticate after only a short period of inactivity? Or some sites where to log in you receive first a text message with a code, followed by, upon successful entry of the first code, an email with a second code…
I say it again: I am all in favour of 2FA (MFA somewhat less), but all the authentication in the world doesn’t help when your service provider is themselves being breached and thus your data compromised. Uber suffered a breach in September 2022 when a hacker used social engineering tactics to bypass the company’s 2FA. The attacker tricked an employee into approving a 2FA push notification, allowing access to Uber’s internal systems. In recent years also popular sites such as Robinhood and Reddit found themselves victims of such attacks. Many of these breaches occurred due to social engineering attacks, where employees were tricked into providing access despite 2FA protections or phishing and push notification fatigue: Phishing attacks targeting employees or customers can still be effective against companies using 2FA, especially when users are overwhelmed by frequent push notifications such as emails.
There are easier ways to protect your data from prying eyes! Methods such as fingerprint recognition, facial recognition, iris scanning and voice recognition are rapidly gaining popularity. Biometric authentication methods offer a high level of security and user-friendliness at the same time, as users do not have to memorise passwords or answers to security queries. In addition, many users are already familiar with them, as many end-user devices already have biometric authentication capabilities. Having said that, they don’t work every time either: Just try to use Face ID on your iPhone in a very dark room for example..
Or anyone remember hardware tokens, the pocket size physical devices commonly used in the early days of online banking? How blissfully easy it was to log on to your bank in those days! The biggest risk was that you would lose your token or that it would run out of battery and thus needed to be replaced. But then, in those days scammers too were no doubt much less sophisticated.
2FA and MFA are here to stay, there is no doubt about that, but ever increasing hurdles to access a service may also end up being counterproductive. Social media platforms want users to spend as much time as possible on their sites, but I for one am increasingly balancing my need to be on a platform with the hassle of logging on to it. At what point will users decide that it’s not worth the effort and use another provider instead? I for one have already started: I used to follow on Facebook at least occasionally what some of my friends were up to, but their login process has become so complicated that half the time now I give up.
Online privacy and data protection are also the users‘ responsibility. We all know of the dangers of clicking on links in dubious emails, so, unless we ourselves use our common sense, there will always only be so much service providers can do to keep us safe – not to mention the fact that scammers quickly latch onto new security features and find a way around them. No amount of authentication levels is going to change that.
The grumpy older man 
Yeah I generally leave 2FA turned off when I am given the chance. For some things I am happy to use it until I realise that I’m in the lounge. and my bloody phone is in the bedroom.
With my bank, the best form of security is only to keep a small amount in there, so my liability is low. I must admit I have instructed some services to go back to paper billing. The complexity of the rules they put in place make it impossible to memorise a password, forcing me to write it down. Which must be the most unsecure approach of all!
LikeLiked by 1 person
Even worse: I need to authenticate using a UK phone number, but since I live in Switzerland, I have a Swiss number… so 8 use my wife’s mobile number for authentication and then call her desperately to get the code which she received off her….
I do all my banking online and I hate paper bills: e-invoicing where receive the bills directly in my Swiss bank account and can validate them there is so much easier. But as far as passwords are concerned, I use foremost logins the same or one of about four slight variations of it….
LikeLike