Number of times that two-factor verification has prevented me from logging into my own account (because I don’t have the right phone with me, e.g.) and then I subsequently received an email saying “we prevented someone suspicious from logging in!!”: at least 6
Number of times that two-factor verification prevented someone actually suspicious from logging into my account (based on emails received): at most 0
Jesus, Mary and Joseph – can someone please come up with something better than two-factor verification that relies on receiving a text message (or sending an email to a different email account which in turn requires receiving a text message)?
Thankfully, my experience so far with 2FA is that it doesn’t actually happen often even when it’s enabled.
My biggest worry was when Gmail stopped allowing “simple login” and required support for Oauth or “Login with Google”, but allowed a workaround with an app password and 2FA. I had to resort to the latter because my email client doesn’t support the former, but I was concerned that it might invoke 2FA for each and every login attempt. This would make it useless since my email client logs in automatically every five minutes to check mail. Fortunately, it only does it once to authenticate a specific device, and never asks again for requests coming from that device. Which is as it should be.
What I hate is: wrong password, ok, I’ll go make a new password, nope, your password can’t be your previous password. If it was my previous password, how is it wrong? I’m just trying to log in to give you bastards money. Looking at you, Spectrum.
Your numbers don’t tell the whole picture, though. When 2FA keeps you out, it’s a minor inconvenience that’s resolved as soon as you’re back with your phone. When someone gains unauthorized access to your device, it could cost you millions of dollars, or your job.
Besides which, you don’t know how many times 2FA has saved you from attacks. You would only know about the times when someone tries to attack you without knowing that your system has 2FA, and really, the kind of attacker who wouldn’t know that isn’t a big danger.
If you’re willing to carry around something like a yubikey that is a different option. It still involves carrying something around, but at least it’s a smaller something.
I will add, though, that one thing I passionately hate and do not understand is why all these companies are suddenly so anal about security. I get bugged by eBay about account security, my cable company just introduced 2FA in order for me to see my bill, there’s Google’s Gmail fanaticism about super-security that I mentioned before, and a great many others. I mean, what does my cable company think some evil actor is going to do? See my bill? Order a service upgrade?
You know who’s really laid back about security and rarely bugs me about anything? My bank. Which really understands security, but also knows how to be unobtrusive and non-obnoxious about it.
When I log in to my work portal, there are three options:
Receive a phone call with a voice bot message for a passcode to enter.
Get message via the Duo Mobile 2FA app on your smartphone.
Receive a text message that contains a code to enter.
I installed the Duo Mobile app on my phone. It seemed to work O.K. I got a new phone a few months ago, and installed Duo Mobile on it, too. And of course, it didn’t work - I got a message that said I need to set it up with computer support or whatever. I said to myself, “screw that.” Since then, I’ve been using option 3. I actually prefer it over using the Duo Mobile App on my phone. Why? I dunno. I guess I like it because it is not dependent on a phone app.
Where it HATES you if you turn it off. Which I have, because it was authenticating insanely frequently. When I turned it off, it demands password verification at least bi-weekly, and of those times, it locks me out over half of them, requiring me to log in, type the same password to their website, unlock, and then type in the password AGAIN!
I have other accounts that require it, and maybe, maybe 3 times a year do I have to use it. But ~!@#$%^&*()_+| Apple. I’ve gone Android → Windows → Apple → Apple → Android → Apple so far for phones, but this is probably the last Apple product for me, and this is a big part of it.
It’s stopping the attacks that are the big danger. It’s not telling you about stopping those attacks, because it stopped them before they even got to that point.
If I’m an attacker, and I see a system that doesn’t have 2FA, and I think I might have a reasonable guess at someone’s password, I might try it, because hey, it might work. But if I see a system that does have (properly implemented) 2FA, even if I think I know someone’s password, why would I bother, if I still don’t have the second factor?
Our grandkids will pity us that we used two-factor verification like we pity our grandparents who endured summers without air-conditioning. “I don’t understand why they didn’t just kill themselves!”
I can’t understand how it’s extra security, to be honest. It seems likely to enable thieves to me.
Most women carry their phone and billfold in their purses. Now if it’s lost or stolen, I can’t access my accounts to remove/ freeze my accounts from the thieves.
They however, will have both my cards and my cell for the second stage access they want!
I’m with you, I hate it. I’m this close >< to just keeping my money at home in a metal box.
Exactly. My bank has allowed me to keep the same password for twenty years, without telling me that it has to be “seven characters, one of which is a capital letter, and two of which are numbers.” Oh, and a suggested safe password is “sje24&%#bheS2Eth,” or some Goddamn thing that nobody could possibly memorize. Naturally, my accounts are insured by CDIC. This isn’t Fort Knox, people!
I belong to a professional organization that demands its members change their passwords every four to six months. Yes, it’s seven characters, one of which must be a capital letter, and two numerals. Jeezus, what’s the worst that can happen if somebody hacks my account? Somebody else pays my membership fees? I wish they would!
Yes, it can be very frustrating and, at times, even debilitating. Getting started in our domain was downright traumatic. We sent out directions via email explaining how to migrate to 2-step verification. They were, of course, followed by almost no one, so we had staff members who could no longer sign into Google. Since we are a Google district, that meant they couldn’t do pretty much anything until the issue was addressed.
We have to ride herd over approximately 1,000 student Chromebooks, and the chief methodology we use to clean up and update the machines is something called a “Power Wash”. At first, I had to carry my phone everywhere I went because the security query would come to to my admin account. Imagine my surprise when I received a security flag telling me that I was using 2-step verification too much, and my ability to sign into a new device was suspended. For the student accounts, it was totally unworkable from the get-go. So, we disabled 2-step for student accounts and created a limited admin account with 2-step disabled. We can use that for maintenance purposes.
Having said all that, I firmly believe the growing pains are worth it. It is EXTREMELY secure because, even if you are hacked, it is impossible for them to receive and acknowledge the security query. Google has been under severe cyber attack, so caution is the buzz word.
So, on my work laptop I have to log in with my corporate password - fine. Then i have to log into the remote client - using the same password - which then needs 2FV which is sent to my phone. Then I have to log into Outlook/Teams with the same corporate password. Rediculous. And our corporate password requires at least 13 characters with the usual requirements for caps, numbers, and symbols. I tested the password for brute force reliability and it was in the order of 200,000 years. Yet, they make us change it every 6 months. Not a fan of the whole process.
2FA scares me, if I lose access to my phone, especially while traveling I am screwed as even if I get another phone it will take some time and 'plaining till I can get back my services (not to even mention the big gaping security hole you can fly a planet through if someone obtains my phone and passcode). Though the thought of not having it is also scary. We really need something better.