drdemonprinceresharing this oldie because i just got a new laptop and the number of times i am being required to login to things, login to a DIFFERENT app/program/password manager/authenticator, provide a number, and then login again is making me fucking INSANE
ety-mologicI'm dealing with this right now - my mother is incapacitated in the hosital, and I've been trying to log into her accounts to pay her bills. I had to pay off her old $250 phone bill to reactivate her old phone number so I could use that number for two-factor authentication on basically everything. They're threatening to cut off her service again and I'm racing to get her accounts switched to my phone number (if they'll let me), but I don't know what all she had or whether I'll be able to track them down before it cuts off.
She also struggled with 2FA herself, finding the process frustrating and confusing, and complained that she couldn't just use a password like she's done for 20-some years. In the past year or two she's had some memory and cognition problems and was struggling with texting, let alone authentication apps and backup codes and all that.
drdemonprinceGod, I am so fucking sorry. I wish I had thought to mention how people dealing with the hospitalization, incapacitation, or death of a loved one are completely screwed over by MFA. As if navigating billing and insurance issues couldn't get even harder. Sigh.
drdemonprinceYeppp. See also: "is my attention really bad these days or is life just wildly more distracting"
carriesthewind"I don’t know what the solution is to this problem, but I do recognize the root of it: 2FA and MFA outsources the responsibility for keeping a platform safe away from the company that developed and runs it and places that burden onto users instead. Asking individual users to authenticate with a phone, a special app, or a code sent to their email is time consuming, frustrating, and for users with disabilities or economic barriers, sometimes completely impossible."
THIS.
Also it reminds me: when my university first got 2FA, I knew it was going to be a huge problem for me. But the announcement email said that there were alternatives for people who didn't want to or couldn't link their phone! The alternative turned out to be a hardware usb that I used in combo with a password, which was fine, except 1) it only worked with devices that have a usb port (because an increasing number of devices don't, thanks apple), and 2) there was no way to attach it to anything (e.g. no key chain) - it was basically a tiny loose thumb drive that I now had to keep track of. (And if I lost it, there would have been a huge fee to get a new one, on top of the security issue.)
And more importantly, while the university offered it, they clearly didn't expect and prepare for anyone to actually take them up on the alternative. It took me two weeks and multiple visits to the IT department to get it set up and everyone who helped me was confused (and often annoyed with *me*) through the entire process.
Like the article says, I understand the security needs behind 2FA - but the current system sucks.
jessalrynnMy employer “offers” it for logging into HR related shit due to an apparently common weed called “Workday”.
I am LITERALLY going to go down with the “No, you cannot have *your* stuff on *my* phone” ship, if I have to take them AND Workday down with me.
actualbuckybamesAll of the points being made here and the undeniable fact that 2FA is less accessible than not having 2FA are valid reasons to critique the widespread implementation of 2FA - particularly when it's made a new requirement with little warning or education for people using those systems.
At the same time, systems aren't implementing 2FA for no reason, and the article doesn't mention the security reasons at all, just that 2FA is a kind of security. That first example in this chain - someone who is not the owner of the account trying and failing to log into a system containing valuable health and billing info because they do not have access to the second factor of authentication - is 2FA working as intended. It's inconvenient, financially burdensome, and outright aggravating in that instance, yes. But it's doing its job.
Credential stuffing attacks simply do not work when 2FA is involved. Those massive data breaches dumping millions of usernames and passwords onto the net go from catastrophic for the affected accounts to merely inconvenient as people who can log in - because they have the second factor - change their password.
Again, I don't mean to downplay how 2FA can prevent well-meaning individuals from aiding friends and family members or how it can be yet another barrier for disabled individuals trying to access certain services. However, websites guarding your information - PHI, financial info, etc. - need to be confident that the person accessing the account is A) who they say they are and B) authorized to access the account. 2FA is one way a site can check off point A. Username and password pairs just aren't enough anymore. Wondering why? Just ask haveibeenpwned and every major data breach in the last few years.
(As an aside, you may have noticed that security questions have also generally gone the way of the dinosaur. This is because the answers tend to be from a limited pool and otherwise easy to guess with information that's available with just a bit of digging.)
No matter what we do, at the current technological moment, security and accessibility are largely a zero-sum game. New developments with webauthn and public-key cryptography show promise for reducing some of the tradeoff, but the tradeoff will still be there. Not everyone can have a cell phone. Not everyone can have an email. Not everyone can keep track of a little usb stick that generates codes every now and then.
2FA isn't going away anytime soon and, unless a 2FA implementation is so horrible it impacts everyone's ability to access the service, it's unlikely to be rolled back. Don't let that stop you from continuing to talk about your frustrations with 2FA. Highlight specific pain points in the process that present difficulties for you. Write them down, make them public, so developers involved in implementing those systems can make them as painless and accessible as possible.
mckitterickI appreciate the IT-tech pov on this, but when I tried to put a like on the article, got asked to log in, and then got this after trying to log in, I just...
irony much?