OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Two Factor Authentication

Article for: Everyone
Difficulty: Moderate
Importance: Helps you assess your security risks

Although Two Factor Authentication (2FA) is all the rage, and is sometimes useful, its downsides are often overlooked.

What is 2FA?

2FA forces the person logging into an account to provide a 2nd factor, beyond the password, to gain access. Normally it is something you know (a password) and something you have (a special device like a YubiKey or your phone). The hacker trying to get in needs both. However, they can spoof your phone, so though it helps, it is not the best method. You can sometimes use your Email instead of the phone and I prefer it. Often the account will place a cookie on your computer so you bypass the second factor, if you are logging in from the same computer or IP address.

When is it useful?

  1. Weak Passwords: It is always useful if you use weak passwords. If you use passwords consisting of one or two words, or a word followed by a few numerals, or an ! mark, then someone could hack your account and gain access. However, if you use a long random password generated by your password safe, then you are not vulnerable to a straight hack.
  2. Logging into an already hacked server: If your business server was hacked and the hacker is watching what you are entering, then a password alone is much more vulnerable than 2FA. He may be able to get your password, but he won't have your phone or email. This also applies to any server you log into. If you log into a motel site, or any business already compromised, then your password is vulnerable. The second factor provides some protection for your account and any information it might contain which is properly encrypted. I'm very glad that My Social Security online account uses 2FA and sends me a code to enter before accessing my account.
  3. Someone already hacked your computer: A keyboard logger or similar breach on your own computer will be somewhat mitigated by requiring your phone plus your password. But, if your computer is already hacked enough that the miscreant can see everything, you are doomed anyway.
  4. You login via WiFi to unknown routers without a VPN: If you login to unknown routers at a coffee shop or motel without using a VPN and then do banking or log into accounts you need to keep private, even your email, then requiring the 2nd factor is useful. Even if the hacker gets your password, when he tries to login from a different location with a different computer, then the 2nd factor can stymie him.
These might not be the only places where 2FA is useful, but I can't think of any others. So, essentially, if you use a password safe and have good random passwords, and use a VPN (I recommend Tunnelbear), then you might not gain any advantage from using 2FA in most places.

The 2FA downside

So why not just use it and get the added benefits? The problem with 2FA, especially to your phone are these:
  1. You lose your phone.
  2. You die or are disabled. 2FA can cause additional problems for whoever needs to handle your life while you are in the hospital or your estate if you die.
  3. It can be very inconvenient. Sometimes text messages don't arrive, or arrive late. My bank used to send me a text code 30 minutes after I tried to login, but expired it after 10 minutes.

Mitigating the problems

I strongly recommend that you make sure your estate executor, sibling, trusted best friend, or spouse has the password to your password safe and can get into it. I not only have my password in a friend's password safe, but even send him an updated copy of my entire Keepass database quarterly. Be sure your PHONE password is in it. Be sure others can access your stuff in case of an emergency.

If you are using an email address for the 2nd factor, then it is better to have it outside your company. So, an email second factor to your personal account is better, if you are protecting against someone who has already breached your office server.

What I do

I do not use crappy passwords. Mine are usually 31 characters, using symbols, and random. I use a VPN when connecting via restaurants or motels. I don't do banking from a mobile device at all, and definitely wouldn't do it without a VPN. I don't have to login to a potentially vulnerable office server. So, I normally avoid 2FA, and use my email instead of my phone when it is required.

Date: October 2019

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster