Two factor authentication. Securing your account with email address, phone number and password.
Seriously? When is it too much work to be worthwhile? We shouldn’t be asking how to make our accounts more secure. We should be asking what’s wrong with this system that we live in such fear of having our online accounts hacked.
It isn’t bad enough that passwords need upper and lower case letters, numbers, symbols, more than 8 of the above. And they need to be changed regularly. And we all have at least 50 of these, none of which should be the same. A mere password is insufficient to secure an account these days.
Signing in online is broken. Any system this clunky needs to be rethought. It reminds me of a common joke. Here’s a good example:
In ’80-90s shows of people in New York, they had with multiple, heavy duty deadbolts on their front doors. Took 10 minutes to lock and unlock. Huge waste of time. Then, the crime rate in NY City was high. In 2017, it hit record lows.1 Not because people got better locks or ways to defend themselves. The decline is attributed to a variety of factors, such as better policing, social programs and an improved economy.
Two factor authentication requires the user to provide two independent forms of information, such as a password and answer to security question or password and randomly generated six digit number. The six digit number is generated at 30 second intervals and relayed to a device that displays the number and the one deciding if access will be allowed to the secured account. A third party is involved, even if it’s an electronic one. How safe is that? From a brief survey of guru tech publications, the six digit random thing is considered state of the art in account security.
What disturbs me about this, in a very visceral way, is that being me is no longer enough to access my accounts. I need an assistive device. All by myself, I can memorize critical passwords so they are always there in an emergency. With two factor authentication, I need more than just me. I am not in control of my own accounts. Some device is.
Not only that, but this enhanced security to get into an online account is like putting an armoured door on the house, while leaving the windows open. Front door access may be secure but viruses and weakly protected internet connections may allow infiltration. That ‘remember me’ box you click after entering your username and password pretty much invalidates the complex password, because once access to the device is obtained, every app on that device is open.
Several accounts I have are encouraging me to link my phone number to an internet access account. This seems silly. If I add more personal information into my profile, when it gets hacked, doesn’t the hacker has even better ways to forge my identity? The phone number is supposed to allow a question to be asked if a suspicious entity is trying to login. Or the email address will receive messages to confirm or deny suspicious activity. Based the ample spam I get regarding breaches of accounts (I may or may not possess) that must immediately be responded to (just click this link), I’m likely to mark any correspondence about an account issue as junk. Dangerous, sloppy and unlikely to have the desired effect.
I find it clunkier and clunkier to operate digitally, suggesting to me we’re building silly systems that compensate for weaknesses rather than fix them. As each lower layer is breeched, we retreat to upper layers, abandoning were we once lived comfortably. It may be that we are achieving more and more security, but at what cost of restraining people’s lives?
What happened to biometric/facial recognition? Give me something I always have with me, like a body part or function to prove I’m me. Security was supposed to get easier with innovation. In the future, it should be trivial to identify each human beyond a shadow of a doubt, without any more than the wave of a wrist. And, how about getting at root causes of cybercrime?
I’m holding my breath until we get there, because multi-factor authentication is no way to live.