When is 2FA not 2FA?

Security experts strongly recommend using 2-factor authentication (2FA) for accessing critical accounts, such as your bank account. What precisely does this mean?

Authentication methods are divided into three factors:

  1. Something you know (passwords)
  2. Something you have (authentication token, a key, a code sent to your phone, etc.)
  3. Something you are (biometrics: fingerprint, iris, veins under your fingertips, etc.)

Combing two of these factors provides effective security protection in the event that any single factor is compromised. In the event that someone shoulder-surfed your password, they may still need your authentication token to log in. In the event that your RSA token device was stolen, it is useless without your password. If an attacker has your key, but faces a retinal scanner awaiting input, he may be stopped.

So far so good. The problem is that users themselves are key to subverting these additional protections. The use of a 2FA token is not a panacea that allows you to not use a good password. This is precisely what happens in environments with a large number of devices where a few resource-starved engineers are tasked with remembering passwords with no password management.

Typing in “12345678” for the password followed by the generated token eliminates the effectiveness of the 2FA token. I have seen worse.

What do I suggest: use a password manager so that the passwords can indeed be long and complex and the administrators are not tasked with remembering them. Also use a token / other form of 2FA for extra protection. Do not task someone with remembering a large number of complex, distinct passwords, or they will all end up being the same or being easy to guess.

Also see my previous posts: Passwords ain’t nothing but trouble
and Lessons from Target on password complexity