I have 4% 2FA coverage
2fa passwords security · 2 comments · 300 words · read ~298 times.
Last year, when doing some digital spring-cleaning, I realised that I had 800 different passwords.
I tried going through them, removing long-dead websites, closing old accounts, and deleting anything incriminating. I now have 891 accounts.
Arse.
I also went through my 31 different 2FA accounts. Getting rid of old employers' email tokens, failed crypto wallet providers, Club Penguin etc. I now have 40 different TOTP tokens.
So, about 4% of my accounts have 2FA security.
I don't know if that's good or not. It feels like it ought to be more, but I'm not sure if I want the administrative burden. Even with a password manager and OTP manager, it's a headache.
I do have a Yubikey (which I hate) but so few services support it. And, frankly, it's pain trying to find it and shove it in a USB socket.
A few services, like Steam, use their own special 2FA app. And some only offer 2FA via email or SMS. Yeuch! Google has a fancy set of push notifications on Android - but that only works with Google accounts.
Is this a problem?
Any of my accounts which handle payments are tied to my credit cards or PayPal - so I don't care too much if someone cracks my password to Pizza Planet; there's limited damage they can do.
But there has to be a better solution. Things like WebAuthN look interesting - but I worry that they're too complicated for mere mortals to understand. And I'm worried about how fragile it is to have all your credentials tied up on one physical token. And I'm worried that credentials are tied to your browser.
So what's the solution?
Should you enable TOTP *only* authentication?
Daniel says:
I have such anxiety when it comes to 2FA backups. Most websites recommends Google Authenticator, but you can’t export the 2FA secrets out of the app. Google recently made it possible to transfer it to a new phone; assuming you haven’t lost, sold, or broken the old phone. Where would you even store the 2FA secrets if you were able to export them out of your 2FA app? You can’t just save it to a cloud drive. Putting it in your password manager kind of defeats the purpose of having two factors as you’ve put all your secret eggs in one basket.
Then the are the damned websites that only support adding one 2FA token. You need at least two, right? One primary YubiKey or OTP token, and a backup in case misplace or break the primary one. I regret it almost every time I’ve added a 2FA to a website. They often don’t let you remove or replace it, even if you still have the 2FA token! You’re locked into securely maintaining a single secret forever. A secret that, for most people, will be stored in an app that they can’t even backup the data from!
This is all so frustrating.
Alexander says:
Unfortunately as you’ve experienced, aside from the extreme lack of services that support WebAuthn/FIDO2, most of the services that do support the standard misunderstand the reasons behind it and implement things wrongly…
A well-implemented 2FA system using FIDO should allow multiple hardware tokens to be registered against a single account.
And using the hardware token ID as the sole account identifier is stupid beyond words, whoever came up with that idea needs to have a long hard think about real life and why locks normally come with more than one key.