Reply to post: Resilience

How to make people sit up and use 2-factor auth: Show 'em a vid reusing a toothbrush to scrub a toilet – then compare it to password reuse

Norman Nescio Silver badge

Resilience

2FA is great in principle.

In practice it is not the use of 2FA that is the problem, it is the ancillary activities, for example:

1) How do you ensure you have a trustworthy 2FA device? What process should you follow in obtaining one to ensure it isn't bogus, loaded with hacked firmware, has a borked RNG etc?

2) Once you have a 2FA device, what do you do if it breaks, gets lost, or malfunctions. How do you know it is malfunctioning?

People pretty much know what to do with passwords, but the understanding around the use of 2FA devices is far less prevalent. It's just another electronic doodad that can break, or get lost. Should you let someone else have possession of it temporarily? Can you safely send it in the post to someone? Can two people share one? None of these are questions that security professionals have a problem with, but your average end user generally has a far better understanding of the issues surrounding passwords than they do of the (potential) issues surrounding multi-factor authentication.

The fun starts when your vague and slightly forgetful relative puts their security token through the washing machine for the third time in six months and can't pay their bills until the bank supplies a new one. Or, perhaps they've encrypted some important documents and the decryption key was stored with no backup on a device that has just failed (because it went through the W/M, again). At least passwords are easy to copy and the copy can put put in an envelope and stored in your lawyer's safe, or a bank safety deposit box. I have enough trouble with someone who has no familiarity with technology, and for the life of them cannot remember the difference between the Windows logon password, the WiFi password for their home network, and their GMail password. I will need an entire pantheon of divine helpers if they are ever forced to use multi-factor authentication. It is absolutely no surprise that the take-up of multi-factor authentication is so low.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon