Disclaimer: I am an IT professional. I dabble in security. I am NOT a security expert by any stretch of the imagination. I am platform and OS agnostic. I use PC/Mac/Arm/Motorola. I run Linux/Unix/*BSD/Windows */Mac OS */Android/iOS/Other. I work in an industry that is paranoid about security… sometimes for very good reason. Sometimes just to prove they can force others to do so.
So. I have had 2 factor authentication touted as the security answer to everything for… almost 3 years now. I’ve been told
“It is easy, just one extra step”,
“It is FAR more secure.”,
“You’ll barely notice it is there…”.
I’ve also been told a lot about password security…
- Never use the same password in more than one place,
- Never use the same password twice,
- Never write your password down
- Never share your password EVER
- Always make the password long use letters, numbers, and symbols. If possible make sentence.
- Change your passwords frequently
Ok… so where does this leave a person who is TRYING to follow the security guidelines? Well it leaves you in a password and authentication nightmare. The only way one can be on the internet and on more than just a few sites is to keep a list of passwords… a huge security no no! The only other alternative is a password manager… Well that has it’s own password AND (in most cases) 2 factor authentication. So for all of you IT administrators here is what it would look like for a NORMAL person to log into a system that is EASY:
- Sit down at my PC and boot up… hope for no BIOS password.
- Get to the log in screen. Remember the correct login. Am I at work? Home? School? Other? Ok, I remembered that password. You can’t use a password manager here, you haven’t even got into your system yet.
- Ok, I’m into my system. Lets fire up my web based Microsoft Email…. wait… I need my password manager first.
- Open Password manager, Remember password… Wait… it needs 2 factor authentication. Crap where is my phone… is it at my desk? in my car? in my coat pocket? charging in the docking station? hmm..
- So, I grab my phone… Crap what was my password? (I’ve been told not to use biometrics, like fingerprints, for passwords… biometrics can be taken without one’s consent by criminals or law enforcement. ) Then I login. Where is my 2 Factor app… or where is the Text that authenticates… either way I’m hunting and waiting.
- Ah-ha! found it. Gotta wait just a second or two it is about to expire… ok here is the code let me type…. ok got the code and enter.
- Wow I’ve opened my password manager.
- Ok back to checking my mail, go to the Microsoft website… put in the credentials for my email… Viola I’m in! wait… no i’m not. It needs two factor authentication because the policy for this group requires it… Ok where is my phone again.
- Found my phone but it is locked again… unlock… where is the two factor app for this program… ah here it is. Ok lets type it…. crap I must have typed it was wrong… ug now I have to do it again…. Got it.
- Yay! I can open my email.
- Huh… my boss just sent me a link to site xyz… ok let me log in and get what they wanted… wait I need to sign up? Gees. Ok
- Enter my email, information, blah blah blah… Go!
- Wait for confirmation email… Done. Account Activated….
- Doh.. I have to setup 2 factor authentication!!!? Really?! ok… what app do I need to use? or do I need to use my phone number?
- Install app (and took picture..?), or confirm phone number…. done!
- Attempt to login to site… username… password… wait… authentication code… done.
- Alright… good to go.
I didn’t mention anything about file encryption, transfer protocols, physical security, or network security… That just adds layers on top of this.
This whole system is predicated on me NOT losing my phone, or phone number. So… if I forget to PAY for my phone bill, anything sent by text I lose access too. If I lose my phone, anything by 2 factor app (or text) I’m screwed. Most sites offer this wonderful option of allowing several ways to authenticate… text OR email OR app. Well that is great unless I’ve lost my phone… because then I can’t get to my email, or my text or an app. Because my email requires 2 factor authentication… I can’t get texts, and my apps would be gone. Huh… Did anyone really think this through?
This whole system is also based on the concept that I am the ONLY person who has access to my phone…. a very dangerous assumption. Do any of you readers have Kids? or Family members who needed access to your phone? hmm…
I can say from personal experience. Last year I temporarily “lost” my phone for about 3 days. I was unable to access ANYTHING, it crippled my work and personal life. It took quite a while to straighten out. I was lucky. VERY lucky.
So my message to programmers (of which I’m one) or administrators there has to be a better way. This is awful for a normal person, this is awful for me. No wonder people don’t follow security guidelines and write passwords down, and use the same or remarkably similar passwords over again…
My message to users, make sure you print up verification codes AHEAD of time. Once you are locked out it is too late. But then again that is about the same as writing your password on a piece of paper isn’t it? So aren’t we back at the beginning? Bad security? I guess there is no way around it is there.
Well good luck, be you a user or an admin. I do not envy either of you. I’m making my own way.