As a longtime proponent of two-factor authentication (2FA) in a mobile world, we was distressed to get strike with dual problems regulating 2FA on Thursday (April 4). But maybe a ability to ventilate those dual mobile-oriented problems with 2FA will do some good, if sites only compensate attention.
The day started with my perplexing to couple to an engaging mobile confidence story in my amicable feed (yes, that would shortly infer ironic). The story couple wouldn’t work for me, with my browser revelation me a site had redirected me too many times. It suggested that we transparent out my cookies. That done tiny clarity to me given a evident problem, though we was overdue for a cookie cleanout anyway, so we gave it a shot.
It didn’t help, of course. we came adult with a workaround (I related to a story’s comments, that worked only fine). Next, we visited several amicable sites. One of my favorites — a tiny and little-known site — asked for my login and password. we complied, and it afterwards escalated to 2FA. It didn’t give me any options about a second cause (which is mobile 2FA problem series one) and insisted on texting me a acknowledgment number.
I waited though zero arrived. So we asked it to do it again and again. Nothing. That’s when we satisfied that a site was expected perplexing to content my landline. And that is mobile 2FA problem series two: If you’re seeking for my phone series so that we can content me someday down a road, tell me that, and I’ll give we my cellphone number. Otherwise, you’ll get a series we many mostly answer, my landline, and it will do we no good when it’s unequivocally needed.
And this is where problem series one bumps adult opposite problem series two: If texting doesn’t work, users need another option, during a really slightest a support series to call.
But wait, there’s more. we subsequent attempted to post to Google Plus. Thoughts of my new 2FA problem flitted by my head, though we suspicion to myself, fear not, Google uses an glorious 2FA that doesn’t rest on texting acknowledgment numbers. It knows that routine is distant too receptive to man-in-the-middle attacks. No, for Google, we have a reliable USB fob. And when we attempted logging in, it insisted on a fob. But it was only not my 2FA day; when a fob was inserted, zero happened.
And that’s when we schooled that we was giving Google too most credit for being security-conscious. When Google couldn’t see a fob, it only defaulted to a texted acknowledgment number. (It incited out that a laptop reboot done a invisible USB device manifest again.)
Companies need to have a human-managed backup to confidence so that legitimate users aren’t sealed out with no approach behind in. If we can’t clear a call center, afterwards during slightest have an email residence cocktail adult — and make certain that inbox is watched aggressively.
Also, content messaging is simply too uncertain to continue carrying a purpose in 2FA. Note to handset manufacturers: How about shipping phones with fobs that can perform earthy authenification? USB is not ideal, though if that’s your route, embody an adapter if necessary. Phone manufacturers have a means — all on their possess — to start enabling users to scrupulously substantiate themselves.
2FA is a good idea, though companies need to consider by these issues better. For starters, if we wish a mobile phone number, only contend so.