Two Factor Authentication (2FA) general discussion

If one is wary of phishing attacks and uses unique strong passwords for each website (thanks to 1Password!!), how important is it to 'upgrade' to 2FA? I take great care with my online security, have never been hacked (I think) and find 2FA a right royal pain in the neck.

Reading online I see that the weight of opinion seems to be pointing towards 2FA. A John Hopkins report states that 2/3 of people are using 2FA. But I am the only one of my off-line group who have ever even heard of 2FA.

Since 1Password has made greater security simpler to use their mission, I thought I might ask your community their opinion.

What is your opinion of 2FA and with good password practice, is it really necessary?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Thank you XIII. Reading above link, (and most of the thread) which is a little over my head, it seems to me that 2FA / MFA isn't actually an upgrade in security for most applications.

  • brentybrenty

    Team Member

    @sguinness: Indeed, it really depends on the context and implementation. It definitely has its uses though, and perhaps one day it will have a larger role with 1Password.

    I also wanted to address a couple of your other comments. I suspect that the "2/3" figure includes people who have no idea they're using 2FA (insecure SMS is common with consumer banks, at least in the US). But I wouldn't ever argue that 2FA solutions make things simpler for most users. Even with the lowest-common-denominator implementations it's easy to get stuck — for example, changing your phone number and no longer being able to receive the code. Certainly there are other, much more secure solutions, but they're much more techie and can be confusing.

  • Thank you @brenty. Yes, my bank app has some sort of authenticator module, and also uses SMS. It is not these applications that bother me so much as one time passwords for email or social media, for example. With 3 or 4 email accounts spread over 3 or 4 devices, perhaps running different email clients, the extra work and endless possibilities for confusion make, for me, the protocol too heavy.

    More and more, mobile apps are offering TouchID / fingerprint sensor log-ons. In most cases this is to replace passwords rather than add another factor of authentication. If services wish to implement 2FA are they missing a gift? The link above suggests 2 types of factor, eg something you have, and something you are (fingerprint and password, respectively). Why not use fingerprint ID as a second factor, rather than replace the first?

  • brentybrenty

    Team Member

    @sguinness: To be clear, I wasn't trying to imply that you were among those using a form of multifactor authentication unknowingly. You probably wouldn't be here in this discussion in that case. ;)

    You're right. Regardless of whether or not the security implementation is sound, it's definitely burdensome to some extent to use (and potentially lose) some sort of second factor.

    You bring up a great point about fingerprint sensors too. These are incredibly convenient, but currently are used mainly as a surrogate for a password, though not a replacement. While I've had great experiences with Touch ID and Nexus Imprint, since they aren't always accurate or accessible (and one could potentially run into serious trouble in the case of an accident) it's hard to put them in a position where they're truly required, either as the sole form of authentication or as a second. And that's to say nothing about what could happen if your fingerprint were to be compromised. Strictly speaking, it probably already is if you've ever been fingerprinted. It's out there somewhere. I have been both when applying for government verification for travel and also when entering other countries (and my own). So while biometrics can be convenient and secure in many ways, a long, strong, unique password is really the only truly secure option, since no one has that unless we give it to them.

This discussion has been closed.