Where Two-Factor Authentication Falls Short
Web designers are constantly bombarded with security advice. We’re informed about best practices, security holes and their requisite patches. It’s enough to make your head spin.
Of course, this is all important and well-meaning. Online security is a constantly moving target, where even the biggest players are susceptible. Therefore, it’s up to us to keep up with the latest developments.
Two-factor authentication (2FA) has been among the most touted technologies for keeping online accounts safe. You see it being implemented everywhere from banking to social media. And it can be easily installed on your own website as well.
While 2FA can be effective at thwarting unauthorized access to our accounts, it has some potentially major drawbacks as well. Recently, I experienced this firsthand. The following is a look at what happened and the mess it helped create.
Different Implementations Across Providers – With One Common Thread
Like just about every other technology, two-factor authentication can be implemented in a number of ways. Users might authenticate via an SMS message, email or a verification code from an app such as Google Authenticator. They might also select a trusted photo that displays with each login, ensuring that they’re not on a phishing site.
Sometimes a service provider will give you a choice. But quite often you’re stuck with whatever method they offer. The more accounts you protect via 2FA, the more complicated this all becomes.
For example, lots of places utilize SMS messages for your phone. But then again some will also require that authentication app. Still others will have a different take. The challenge is in trying to keep track of who uses what technology and making sure you have the right tools on hand.
But it seems that most methods do have a single commonality: they rely on your mobile device to work. That sure is convenient. Still, what if something happens to that device?
A Failed Phone Leads to Chaos
This is the situation I found myself in, as the mobile data connection on my Android phone went haywire. Text messages were being delayed by hours or not being delivered at all. A family member residing in the same house and on the same network received their messages just fine. That led me to believe this was some sort of hardware failure.
As one does in this predicament, I tried a number of remedies. This included the dreaded “nuclear option” of factory resetting my phone. It’s worth a try, right?
The trouble here was twofold. First, it didn’t get the text messaging issue fixed. Even worse is that it logged me out of all my various accounts. Google, Facebook, Twitter, etc. were all nuked. Maybe that’s better for my mental health, but probably not so good for work/play.
Attempting to log back into each of these accounts was not so easy. Why? Because of 2FA, of course.
Google was especially tough, as the only two options it gave me were tied to my phone. It wanted to send me a text – but that wasn’t going to work. And they also allowed for a Google Authenticator code. This would have been great, but it required me to be logged into my Google account in order to, you know, gain access to the code.
The solution was to finally boot up my desktop computer and temporarily turn off 2FA for Google (they really didn’t like this). Sweet relief, I got my Gmail back.
For even more fun, I had to repeat a similar process with several other accounts. Ironically, I can’t access my online banking via my desktop, as it relies on SMS verification. I can, however, get to it on my phone because there’s no such requirement. Just thinking about this puts me into a cold sweat.
Of course, my situation isn’t unique. Anyone without access to their mobile device could easily be in the same boat.
The frustrations associated with 2FA can be useful as a teachable moment. Those of us who build websites for a living pat ourselves on the back for increasing security – and rightly so. But implementing this technology in and of itself is not the end of our mission.
Instead, it takes some serious thought. Here are a few things to keep in mind before adding two-factor authentication to your website:
2FA Doesn’t Necessarily Need to Be a Requirement
It’s tempting to force users into utilizing two-factor authentication. And in certain high-risk circumstances this makes sense.
But for most sites, you may consider going with stringent password requirements instead. For example, if you’re running a membership site that doesn’t contain anything secretive, 2FA could be optional. But perhaps you ask users to change passwords every six months.
It’s slightly less hassle for users and hopefully less support work for you. And don’t forget about accessibility. Despite assumptions, not everyone has access to multiple devices.
While it may be difficult from a maintenance standpoint, offering more than a single method of 2FA could be beneficial. Users can choose the flavor that works best for them. Or, in a pinch, they could even change what they’re using should their mobile device become unavailable.
Short of that, at least offer an easy way for people to contact you if they run into problems. It’s incredibly frustrating when you can’t access your account and there’s no one there to help.
Expect Some Challenges
It’s possible to do everything right and still run into users who have login troubles. For instance, some 2FA implementations offer one-time use backup codes. They’re great for times when your chosen authentication method isn’t working.
However, not everyone is going to take the time to save or print these codes (I sure didn’t). Therefore, it’s important to prepare for the inevitable issues that will occur.
Two-Factor Authentication Is Helpful, but Far from Perfect
All told, there are a lot of reasons to like 2FA. It can be fairly simple to implement and it helps prevent unauthorized access to user data. And there are a number of different methods available.
It’s not without its shortcomings, though. As I found out, a wonky phone can cause a lot of problems. The inability to log into your most important accounts puts your life at a standstill. Imagine not being able to access your bank account or even your cell phone provider.
So, by all means, add two-factor authentication to your websites and apps. But plan ahead and try to make the process painless for users. You can expect a more secure environment – just don’t expect miracles.