One thing I don't see discussed enough in regards to 2FA is how important it is to either layer up or have some way (however much a pain) to bypass it in case it breaks. This obviously weakens the value of it, but imagine this: any time you need to get money out of your bank account, you need to put in a code (SMS, TOTP, whatever) in addition to the usual. However, for some reason, that system breaks - the SMSs aren't arriving, the TOTP device has broken or catestophicalyl desyncs, whatever.
All of a sudden, you can't get money out. Now, in the real world you can probably go into the bank with some ID or whatever and get access or get it fixed or whatever, but in the case of things like email and such we can see this being harder to fix.
This isn't to say 2FA isn't good! It really is great! But like any security system you have to make sure of the problems it introduces and how to address them (TOTP, back up your seeds, SMS be able to change the number if you really need to, email definitely keep access to the inbox involved, etc)
I think having a way to bypass 2FA fundamentally ruins its purpose (as you mentioned).
I also think there are better more secure ways of implementing solutions to these issues, mainly because:
1) I don't usually try to worry people (especially beginners) about things that are out of their control. I have been using 2FA now for many years and I've barely had 2 or 3 instances of it not working as intended (which got resolved very quickly) with both SMS and TOTP. Which is why in my opinion and experience, the benefits of implementing 2FA exponentially outweigh the drawbacks and the hassles that occasionally govern it's use.
2) A 2FA system breaking is most likely due - in the case of SMSs - to the companies handling the SMS requests. (assuming the user has good service)
This usually gets resolved in a matter of hours and the user has no control over the outcome.
If this happens in a more corporate setting, it can be usually resolved through a phone call (although now that AI is here I think this option will be scrapped) or a visit with an ID, as you pointed out in your bank example.
3) While 2FA rarely breaks with TOTP due to time desyncs, a better alternative that I recommend is to have the TOTP codes generated on more than one device at at time, including - as you pointed out - a backup for the TOTP codes somewhere safe, since that would eliminate the need to have the local device time correctly set up in order for it to work.
4) While it's also true that the failure of 2FA through email is harder to fix compared to other methods, I think a better solution - instead of having to backdoor 2FA - is to simply add different means of authentication available to users. This ties back to the 3 main methods I talked about in the post. You could have phone number + biometric identification + email + TOTP on for a single account (won't dive into the privacy implications, the increase in complexity, and the added vulnerabilities here), as this basically guarantees that at least one of the methods would have to work at any given time. This also lets users reset other 2FA methods in case one is lost or broken permanently.
5) Furthermore, the most common issues I've faced with other users (as well as with myself, I confess) is accidentally deleting the TOTP codes, and having no backups.
I believe prioritizing the prevention of such impactful and permanent incidents should take precedence over addressing temporary service interruptions.
However; I still agree with your premise. Generally, the more private/secure something is, the more of a hassle it is to be used. I think users should always keep that in mind whether it's about 2FA or not, especially if their threat model lies more on the convenient side.
Yes, that's kind of what I meant about layering up. This is one place where I think Google does a good job - they allow you to set up multiple 2FA methods, and you can use any of them. This is arguably a bit less secure than having one because you have multiple points of failure, but I don't think it's *much* less secure, and very likely still more secure than not having 2FA at all. But it does have the benefit of if one becomes inaccessible, you're not locked out.
Two true stories to illustrate my point:
1. I am currently locked out of my LinkedIn account because the e-mail address it's tied to changed/ceased to exist after graduating. The only way to bypass that is to send scans of formal ID - not something I trust LinkedIn to keep safe or delete. So I can't even delete the account without arguably compromising my privacy even more.
2. For the last three months, I could not easily transfer money from my bank account because the SMS 2FA system for some reason was broken - it did not send the SMS. I tried calling, I tried going into the branch, totally useless ("Have you tried setting up our app?" "Yes, it requires SMS to set up"). The number was definitely correct, there was some weird database glitch. SMS was also required to change the number, amusingly enough. (I did manage to fix it through cleverness, luck and poorly designed security systems, but I don't think that helps the bank's case.)
2FA is good, I'm not arguing that point, but any authentication step or system comes with the risk of locking people out wrongfully, and you need to either plan for that (preferred, but in my view under-emphasised), find some way to work around it (obviously not good, nor feasible for non-system savvy people or people without time), or accept that that's just going to happen.
Great article!
One thing I don't see discussed enough in regards to 2FA is how important it is to either layer up or have some way (however much a pain) to bypass it in case it breaks. This obviously weakens the value of it, but imagine this: any time you need to get money out of your bank account, you need to put in a code (SMS, TOTP, whatever) in addition to the usual. However, for some reason, that system breaks - the SMSs aren't arriving, the TOTP device has broken or catestophicalyl desyncs, whatever.
All of a sudden, you can't get money out. Now, in the real world you can probably go into the bank with some ID or whatever and get access or get it fixed or whatever, but in the case of things like email and such we can see this being harder to fix.
This isn't to say 2FA isn't good! It really is great! But like any security system you have to make sure of the problems it introduces and how to address them (TOTP, back up your seeds, SMS be able to change the number if you really need to, email definitely keep access to the inbox involved, etc)
Thanks for your comment Alan!
I think having a way to bypass 2FA fundamentally ruins its purpose (as you mentioned).
I also think there are better more secure ways of implementing solutions to these issues, mainly because:
1) I don't usually try to worry people (especially beginners) about things that are out of their control. I have been using 2FA now for many years and I've barely had 2 or 3 instances of it not working as intended (which got resolved very quickly) with both SMS and TOTP. Which is why in my opinion and experience, the benefits of implementing 2FA exponentially outweigh the drawbacks and the hassles that occasionally govern it's use.
2) A 2FA system breaking is most likely due - in the case of SMSs - to the companies handling the SMS requests. (assuming the user has good service)
This usually gets resolved in a matter of hours and the user has no control over the outcome.
If this happens in a more corporate setting, it can be usually resolved through a phone call (although now that AI is here I think this option will be scrapped) or a visit with an ID, as you pointed out in your bank example.
3) While 2FA rarely breaks with TOTP due to time desyncs, a better alternative that I recommend is to have the TOTP codes generated on more than one device at at time, including - as you pointed out - a backup for the TOTP codes somewhere safe, since that would eliminate the need to have the local device time correctly set up in order for it to work.
4) While it's also true that the failure of 2FA through email is harder to fix compared to other methods, I think a better solution - instead of having to backdoor 2FA - is to simply add different means of authentication available to users. This ties back to the 3 main methods I talked about in the post. You could have phone number + biometric identification + email + TOTP on for a single account (won't dive into the privacy implications, the increase in complexity, and the added vulnerabilities here), as this basically guarantees that at least one of the methods would have to work at any given time. This also lets users reset other 2FA methods in case one is lost or broken permanently.
5) Furthermore, the most common issues I've faced with other users (as well as with myself, I confess) is accidentally deleting the TOTP codes, and having no backups.
I believe prioritizing the prevention of such impactful and permanent incidents should take precedence over addressing temporary service interruptions.
However; I still agree with your premise. Generally, the more private/secure something is, the more of a hassle it is to be used. I think users should always keep that in mind whether it's about 2FA or not, especially if their threat model lies more on the convenient side.
Yes, that's kind of what I meant about layering up. This is one place where I think Google does a good job - they allow you to set up multiple 2FA methods, and you can use any of them. This is arguably a bit less secure than having one because you have multiple points of failure, but I don't think it's *much* less secure, and very likely still more secure than not having 2FA at all. But it does have the benefit of if one becomes inaccessible, you're not locked out.
Two true stories to illustrate my point:
1. I am currently locked out of my LinkedIn account because the e-mail address it's tied to changed/ceased to exist after graduating. The only way to bypass that is to send scans of formal ID - not something I trust LinkedIn to keep safe or delete. So I can't even delete the account without arguably compromising my privacy even more.
2. For the last three months, I could not easily transfer money from my bank account because the SMS 2FA system for some reason was broken - it did not send the SMS. I tried calling, I tried going into the branch, totally useless ("Have you tried setting up our app?" "Yes, it requires SMS to set up"). The number was definitely correct, there was some weird database glitch. SMS was also required to change the number, amusingly enough. (I did manage to fix it through cleverness, luck and poorly designed security systems, but I don't think that helps the bank's case.)
2FA is good, I'm not arguing that point, but any authentication step or system comes with the risk of locking people out wrongfully, and you need to either plan for that (preferred, but in my view under-emphasised), find some way to work around it (obviously not good, nor feasible for non-system savvy people or people without time), or accept that that's just going to happen.