Last week I wrote about how I had 800 passwords in my password manager. It was intended to highlight the ridiculous proliferation of online services, and how redecentralising identity comes with a manageability problem.
I now want to talk about 2FA - Two-Factor Authentication - the random codes you have to type in every time you log in somewhere secure.
This week, I've moved all my 2FA tokens from Authy, to the open source andOTP app. It was mostly painless exporting the Authy keys - but took a while to manually check each one. Do I really need this many 2FA tokens?
It's good that my webhost uses 2FA - but annoying that they have two separate ones for my account and my control panel.
I've got a bunch of Gmail accounts - it is frustrating scrolling through remembering which G-icon goes with which G-service.
There's a few different Microsoft ones because I'm not sure of the collateral damage if I try to link my Xbox, Skype, and Outlook accounts.
And the usual smattering of hardly-used services which offered 2FA, so I set it up.
Oh, and a few services which don't use standard TOTP - and insist on using their own app or hardware token.
Is This Secure?
I don't know any more.
In security, we usually talk about the benefits of having your security split between something you know (a password) and something you have (a token). But I've effectively combined them. My phone stores passwords and tokens. If someone steals it and can break through my biometrics & PINs - they've got the keys to my kingdom.
If a crappy service has leaked a passwords, which I've reused elsewhere, then this 2FA set-up provides extra security. But fewer than 5% of my online accounts support 2FA - so that's a minor benefit.
I tried using a YubiKey - and I just couldn't get on with it. The software was too flaky, hardly any services support it, and my keyring is rarely to hand.
So I'd have to keep an easy-to-lose physical token - as well as a phone for every service which doesn't support it.
Text For Details
As well as the codes in my app, I have a bunch of services which will only use insecure SMS for 2FA:
Quite why these services are stuck in the dark-ages is beyond me. Possibly they just want my phone number for marketing purposes?
The username / password / token pattern is becoming increasingly unsustainable for me. Having a multitude of security apps is marginally more convenient than carrying around a big bunch of keys. But it is frustrating find the right app, searching through for the right icon, typing things in before the timer expires, and proving my identity multiple times daily.
I could turn off 2FA and re-use the same username/password everywhere. That would be a hell of a lot easier for me. But I don't want to reduce my security that much!
I could sign in to everything using Facebook. But even if that weren't ethically dubious, not every service supports that.
Both Google and Authy have a useful service whereby they send a push notification to your phone and ask you to confirm your login. Cool, and easy to use. But, again, limited support and the same risk of my phone being the single point of failure.
What's the alternative? If you know - please leave me a message in the comments.