Two Factor Authentication – how you implement it matters

You probably already know about 2FA. You’ve used your phone number to verify you are who you say you are. Or maybe you’ve used SecurID cards or keyfobs to login at work.

Google Authenticator is another method of 2FA, that works similar to SecurID but uses an app on your smartphone. I was using Google Authenticator for 2FA on several of my accounts, and was recently disappointed to lose access to my iPhone and it’s backup. That meant I lost everything, and would have to start over completely, or so I thought. The only account I actually lost access to was the one from Apple.com, because I didn’t have access to my second factor (my phone got wiped in an upgrade). Google, Facebook and Lastpass all let me bypass my selected form of 2FA on my accounts simply because I was in possession of my cell phone and could read my text messages.

What is the point of having other methods of 2FA if they can be so easily bypassed with just SMS messages? I mean, I’m glad there was another alternative, that I didn’t lose absolutely everything, because losing your phone, contacts, apps, music, everything is stressful enough, but what the heck? Every DEFCON proves that MITM attacks are easy in the mobile phone world, and emails and text messages are not actually a safe second factor.

Now I’m not even going to bother setting any alternate method of 2FA on my accounts, unless I ever get in a position when I can have more than one device act as my second factor, and I can be reassured that there is no simple bypass process, so losing any one thing doesn’t totally break my digital life.

CORRECTION: I shouldn’t have said “bypass two factor authentication” – You aren’t bypassing it, they are just saying it doesn’t matter which two factor authentication method you select, the only second factor that actually matters is that you have access to your SMS text messages.