Follow

secarch.dev/posts/2fa-is-still

"2FA is Still Too Complicated for Most People"

I wrote something that might be unexpected.

tl;dr: use and recommend password managers first, then 2FA

this post has been coming for a while now, so here are ~1500 words on the subject.

@szbalint I haven't read it yet but in general this is a good take imo
It's a lot of faff and when everything is geared towards convenience it really stands out as a lot to have to do.

@sophia that’s a good first approximation/summary actually

2FA really is a lot of effort compared to the gains

@szbalint I think a lot of tech savvy people also forget that a lot of people just aren't.

If I told my mother to set up 2fa she'd be there crying for 2 days before asking for help, and my inlaws wouldn't even get that far, they'd not understand.

It's like the old 'anyone can install linux', it ignores a lot of people.

@sophia And still, whenever we make this argument that we should be inclusive, I always receive people in my mentions going

"Ah, TOTP is simple, just read RFC 6238? Like, 'basically, we define TOTP as TOTP = HOTP(K, T), where T is an integer and represents the number of time steps between the initial counter time T0 and the current Unix time.'
Basic, really".

It's OpenPGP vs Signal all over again. My mum and most of my family uses Signal, but would never get encrypted mail working.

@szbalint When I first installed debian I was already extremely tech savvy, but hardware incompatability floored me. Without being talked through it I'd have had no clue, but even the person helping presumed I knew things I didn't because everyone in their circles does.
It frustrates and alienates people rather than encourages

@szbalint A very small portion of my customers use 2FA/OTP at work, but with enabling it comes enabling a more secure business process on their account for handling their account.
We've found that people who are savvy enough to properly use it and keep backups are extremely happy with the added security and more stringent process, but its definitely not "ready" for mainstream. Not sure if it ever will be in this form.

@szbalint
I am perfectly capable of understanding the security benefits of 2FA and of using it every day, but even I find it too complicated for most stuff. Especially b/c I can easily memorise 15+ strong passwords.

@szbalint Great article.

I just came back from a security con and told one of my coworkers (software engineer intern) about a talk I attended on MFA. After lunch she told me she set up 2FA on her work Google account.
While it's great that she has done that, she has doesn't use a password manager, and I'm sure she doesn't understand the extra implications of 2FA (She would really be in for a surprise if she gets a new device).

Your article will be a good resource to share.

@szbalint Great post. The backup codes especially are a real Achilles' heel of these systems. Who in the heck actually prints those out?

@nolan @szbalint "Let me just save these 2FA codes on a USB stick and then take it to the local shipping store to print them out on their shared public computer."

No, but I do write a couple of each down and stick 'em in my wallet (and a couple more in my desk at home).

...which I'm not going to do with N different sites, just the couple I care enough to enable 2FA on. 2FA is an inappropriate availability/security tradeoff for most sites.

@nolan @szbalint Great post! Reminds me of trying to get people to use gpg signed email.
I actually do print out my backup codes, I totally paranoid about losing things. I still haven't found the yubikey I bought a few years back...

Sign in to participate in the conversation
x0r.be

Exclusive or something