What makes second factor authentication still too difficult for personal use? How does 2FA compare in the wider picture? What can we do about it going forward?
Currently, enabling 2FA for various services requires more knowledge and organization than it seems at first glance. Not the mere act of activating a 2FA method, but using it continuously in comparison with the security benefits 2FA provides. Things are moving in the right direction to improve the ergonomics but, contrary to some recent articles, it might still be too complex.
tl;dr: use a password manager
Who should absolutely use 2FA today
If you are a journalist, activist or you handle sensitive data in a personal capacity, you should absolutely use 2FA today.
Different tradeoffs, requirements and possibilities also apply for corporate usage, where it’s much easier to recover from lost devices and there is stronger tech support in general.
With that said, most of this post is about common personal use-cases, where the picture isn’t so clear.
In some respects 2FA credentials management is similar to OpenPGP key management: long-term use of both requires forward planning and more discipline that can be expected from most users.
Consider the case of lost 2FA devices. What do you do when you lose access to your phone or security key? A large percentage of people enabling 2FA thinks about 2FA loss only when an event like this happens, by which time it is too late.
Over the timespan of years, people change phone numbers, break phones and lose keyrings with their yubikey on them. 2FA has to work on a long-term basis and not just during the process of enabling it.
There are three main ways to recover from the loss of 2FA:
Without backup methods for 2FA loss, people are in the unenviable position that they have to contact support (of various services) and try to convince support to disable 2FA for them. In some cases, this is a tough manual process involving proving your identity through some alternative means, in others it is not possible at all due to the security policies of the service. Doing this for a single service is annoying, doing it for a handful is downright nasty.
How many people have the foresight to not only request backup codes but to store them in a way that survives the loss of their primary 2FA methods and at the same time does not compromise the security benefits of 2FA?
Unfortunately while backup codes are supported fairly widely among services offering 2FA, there are exceptions (looking at you Cloudflare - the TOTP seed is not a backup code).
As a sidenote, I found it interesting that some services (eg GitHub) are recommending storing backup codes in a password manager. If that’s the recommendation, why not just use a password manager instead of 2FA in the first place?
Other backup methods
Maintaining backup devices or methods for 2FA also requires effort and discipline. The backup method has to be independent enough from the primary 2FA method to survive the loss of said primary, but at the same time convenient enough that it isn’t a huge burden to maintain. If you need to retrieve a security key from a safety deposit box every time you’d like to enable 2FA at a service, then this effectively creates a fairly high barrier to wider 2FA use.
At the moment most people, even a lot of developers and security professionals just aren’t familiar with 2FA in detail.
How does the presence of 2FA change the authentication flow? You might be thinking that a user doesn’t need to care about this. However in a lot of ways layering 2FA over existing username:password logins adds confusion.
What is there to be familiar with? Terminology for one. What do you mean “Google Authenticator” isn’t a Google service that is automatically backed up and instead it’s an implementation of something called OATH-TOTP? Are recovery codes backup codes? How does that compare with something called recovery tokens? Are backup codes exclusively backups for 2FA or for the whole login? What do you mean a password reset via email doesn’t allow me to deactivate 2FA? Is it possible to change my password without 2FA? Can I deactivate 2FA if I lost my device, but still have an active session? How often do I need to use my second factor device for login anyway?
These things are not only not immediately obvious, but potentially vary service-by-service.
To manage more than a handful of 2FA enabled services, one needs a spreadsheet. It is rare to find two separate services implementing 2FA the exact same way, up to and including 2FA types. The most common authentication types are text message (sms), TOTP, and FIDO/FIDO2 based authentication. Of those, a lot of services only support one or two out of three and it’s common that one can’t have multiple different types of 2FA active at the same time.
Anyone wanting to activate 2FA across a wider range of services is pushed to use multiple 2FA methods. The spreadsheet is for keeping track which 2FA option is for which service, whether backup codes are supported and were successfully generated, and if one is especially thorough whether it is possible to recover from 2FA loss without backup codes.
This is more effort than can be reasonably expected from the average person.
One subtle pitfall is the case of circular dependencies. In cases where decisions are taken in a sequence, but the time between steps can be months or years, it’s more likely than expected to create circular dependencies with your credentials. The backup codes for your service are safely stored in your password manager. Your password manager is also safely backed up. You suffer overcurrent in your house, so you want to restore from your cloud backup, however in order to do so first you need the 2FA backup codes to access your cloud backup.
2FA in context
What is 2FA supposed to protect against, anyway? How does it compare to other security technologies like password managers?
These days server-side data breaches are so common that they are the root source of the vast majority of compromised passwords. What’s more, these data breaches enable something called credential stuffing, allowing compromised credentials to be tested against every other major service a person might have. In the era of dozens or hundreds of accounts that a single person might have, most people without a password manager use a handful of passwords, enabling credential stuffing attacks to be devastatingly effective.
This is where 2FA and password managers come in. 2FA methods are unique per service (obtaining 2FA details from a data breach will not help in authenticating into another service) and so are autogenerated passwords managed by a password manager.
Does 2FA protect your login against a data breach from the same service? That depends on the 2FA method, for example TOTP seeds are also usually part of data breaches for services where password hashes were compromised and TOTP login was supported. SMS/FIDO/WebAuthn might offer some protection there, if backup codes weren’t exposed in the data breach.
If someone puts up a fake website and starts a spam campaign to get users to divulge their credentials, what is an effective solution against that?
Unfortunately, sms/TOTP based 2FA isn’t. Criminals just proxy the numbers people enter on the fake site to the real service and thus bypass these methods.
The good news is that security keys based on FIDO/WebAuthn are not phishable, as the browser performs the identity binding and code does not confuse strings as easily as humans do.
Are password managers any help here? In theory password managers with browser autofill also bind credentials to specific domains, however I don’t know if that’s an effective security barrier or not. If you do, let me know.
Primary device compromise
What happens if your primary computing device gets compromised? If, instead of a phishing mail someone induces you to execute their malicious file? Does 2FA offer any protections?
There has been a lot of confusion on this point lately.
The unescapeable fact is that once someone obtains high-level access to your laptop/desktop computer, there is no type of 2FA or password manager that will protect you. Anyone with such level of access has 101 different ways of obtaining passwords, proxying or fooling 2FA or simply taking your active sessions and doing whatever they wish with them. Neither the most advanced second factor authentication nor encrypted password managers will protect you.
Conclusions and the Future
I think that for the average person we should be primarily recommending password managers, as those provide the most gain for the least amount of complexity. Enabling a stronger type of 2FA does increase security slightly, however at the expense of quite a bit of complexity. Password managers improve every single service (as they are almost universally supported) with very little effort on the users’ part, without spreadsheets, confusing usability or complicated authentication flow.
My hope is that going forward the choices and procedures for 2FA would coalesce around a few well-defined options, coupled with clearer terminology and better UX that would make it much easier to recommend 2FA to a wider range of people.
Particularly that we’ll soon have:
- universal availability of backup codes, multiple simultaneous 2FA types, more than one device per type
- mandatory backup code generation interstitial that explains the purpose of backup codes
- universal adoption of FIDO2/WebAuthn across browsers and services
- periodic service-initiated authentication checkups and recommendations on login
- clearly defined support/recovery procedures