Ten Important Things You Should Tell Your Friends About Two-Factor Authentication

Sunday 23 October 2022
Bob Leggitt

It was never about security. It was always about collecting and selling high-value personal data. Here comes the proof...

It's hard to believe, in a world where tech platforms increasingly mandate two-factor authentication, that there could still be people in this world who believe it's all about our "security protection" rather than the tech industry's bank balance. Sadly, however, the misconception widely persists. So if you know someone who still thinks 2FA is a security measure, here's a list of ten things they urgently need to hear...

1. 2FA does not stop hackers. If they can steal your password via a fake form they can steal your 2FA code via a fake form.

2. On professional sites, strong passwords are virtually never cracked through trial and error (known as "brute force"). Sites that push or mandate 2FA routinely restrict the number of login attempts a would-be intruder can make. Under these industry standard circumstances it's just not possible to brute force a login which has a strong password. And if the site were left without restrictions of this type, a hacker could simply brute force the pin code as well as the password. As with Point 1, the second factor serves no purpose.

3. Your account is, statistically, vastly more likely to be compromised through a sitewide hack than through a personal, client side hack. On this basis, giving your phone number to a tech provider makes you enormously LESS safe than simply using a strong password. You're much more at risk of impersonation and potential ID theft than if you'd kept your phone number private, because a phone number is a key component of personal information, and it can open doors that a throwaway email address will not. Additionally, because most companies using SMS-based 2FA sell the phone numbers they collect (of course they do, duh), the odds of being exposed to sitewide hacks increase even further. If twenty companies end up with your personal data, that's twenty chances of your identity being stolen via a sitewide hack. Although I should perhaps stress that two hundred is a more likely number than twenty. Not even the best hacker in the world can steal what you don't give anyone.

4. Access loss is increased by 2FA. Based on an open Twitter survey, more people reported losing access to their Facebook accounts with 2FA than without it. You don't need to take my word for this. Even a mega-basic Twitter search for "Facebook" "2FA" will instantly hint at the volume of people with 2FA who are hacked. And in addition, there's now the problem of people losing access to their accounts because of the 2FA itself. Most commonly because they lose access to the designated phone. Security experts report a ceaseless stream of messages from people who have been hacked despite enabling 2FA. 2FA has not reduced access loss. It's heavily increased it. All tech platforms know this and have chosen to conspiratorially lie about it, for years.

Extra layer of security? Extra layer of risk more like.

5. Many tech platforms have persistently refused to use any other second factor than SMS via a designated mobile phone number. This is a terrible second factor, since it's prone to so many potential adversities. For example: loss or theft of the device, signal instabilities in rural areas, the poor security and unreliability of SMS itself, unavailability of the medium (i.e. not everyone owns a mobile phone)... For the latter reason, and also because some highly vulnerable groups are much more prone to device loss/theft, insisting on use of a cellphone is both elitist and highly discriminatory. Alongside the lack of any alternative options, this proves beyond question that 2FA is purely an excuse to collect and sell phone numbers. Why would you NOT offer a choice of more suitable options if security really mattered?

6. When this racket started, a sizeable MAJORITY of the world did not have a mobile phone. If 2FA were really about security, would it not have made sense to devise a system that protected EVERYONE, rather than just a MINORITY? If it was about security, that would have been a no-brainer. But it was never about security. It was always about collecting and selling high-value personal data.

7. Gross inconvenience. Even when working correctly, 2FA adds unnecessary inconvenience to the process of logging in - especially in multi-user environments such as small business. The delays created by 2FA can even cause loss of sales - for example, if the phone used to set up the 2FA is not always available to everyone who needs it, and a piece of logged in access equipment fails. Also, 2FA sometimes relies on a third party to operate what is a completely separate service. If the third party's server goes down, it can take hours - possibly a day or more - for the code to be sent out. Once again, unacceptable, unnecessary delay, for no gain when the password is strong.

8. 2FA fosters a false sense of security, which often results in compromises elsewhere. In particular, people are more likely to re-use their passwords across multiple accounts when they believe they're protected by 2FA. This leaves them more vulnerable than if they'd simply used a different strong password per account.

9. For an unthinkably huge volume of people, 2FA is advantageous to thieves. Most people have their 2FA codes sent to the same portable device they're trying to protect. Which means that anyone stealing the device has the means not only to receive the 2FA codes, but also to prove that they are now the rightful owner of accounts using that number for 2FA - at least for as long as it takes to get in and change the logins. And because the supposedly "unhackable" 2FA was used, as far as the tech company is concerned, the login change was legit. If you try to reclaim your account, you are now just an intruder trying to scam the login away from its rightful owner.

10. Giving away your phone number reduces your privacy. And not only in that you've provided the phone number per se. The greater problem is that accounts tied to a phone number are considered ID-verified. They're thus far more exploitable in the data market than accounts with no verified identity indicator. This, of course, is why the tide of coersion from Silicon Valley has been so strong. But what it means for you is that when you add a phone number, more enterprises become interested in your account and its data, and the data (all data - not just the phone number) is almost certain to spread farther and faster. Data brokers will be more interested in a phone-verified account, and if they pick you up, they'll sell you to anyone. ANYONE.

So if you want to create yourself a mire of inconvenience, for no increase at all in security above a strong password, whilst inflating your chances of losing account access and handing a blank cheque to a raft of surveillance capitalists who want to own you, better set up that 2FA I guess.