Knowing that their systems and networks can never be guaranteed to be secure from hackers, invaders, and malicious actors, IT administrators are pushing the onus onto the user. So let’s talk about the two-step authentication (2FA) identity security illusion.

In a nutshell, a very likely/probable/possible event:

1. You accidentally leave your cell phone at the coffee shop
2. Joe Shmoe retrieves your cell phone before you even realized it was gone
3. JS is now miles away reviewing his new cell phone options
4. JS clicks on your bank app which is set up with your saved login and password
5. Your bank wants to verify it’s really you via 2FA, so JS agrees to receive a text code
6. Your bank then texts JS with the access code, warning it’s only good for 10 minutes
7. JS types in the code he receives as you (far as your bank is concerned) on your phone
8. JS then reviews your entire bank account, choosing available options in your bank app.

It’s simply no deeper than that. Apply the possible scenario to your email app, your university account, anything which is set up for access automation on your phone. 2FA does little-to-nothing to deter improper account access, even by a total stranger.

Now, consider this. Someone at the facility installed that required 2FA for thousands of users, despite any illusion. Why? Because that IT administrator knows they cannot prevent illicit behavior and is throwing the ultimate responsibility back on the user. Why is that a problem? Because the user has deliberately set up the phone for their personal account access on preferred apps to ease their user experience. But 2FA disrupts that ease. The phone owner must now accept the text code, type it in, and then later delete the text message(s). In the course of a day, even an hour, this adds up.

What did the phone user gain from the process? Wasted extra steps in a system that the IT administrator requires, so that when the phone is lost or stolen, and a thief has gained access, it’s ultimately the original phone owner at fault for having saved logins and passwords on their phone. The careless user is to blame.

Bottom line is, you can’t blame the IT department if a stranger gets access to your saved phone accounts. They did their part in creating the illusion that 2FA has value by requiring the account holder to accept, even believe, in order to gain access. When, in reality, 2FA has no user benefit; but, rather, creates an extra, unnecessary burden on the user, security work that the IT people don’t want to do. Here’s the skinny: if your phone is lost or stolen, a thief will gain access to saved accounts on it whether 2FA is required or not.

2FA says it wants to verify that it’s you, that’s its core purported value: identity authentication. Yet, that’s nonsense, an outright lie that’s spreading universally. 2FA wants to verify that it’s your phone. It has nothing to do with whether you’re the one holding it when access is requested and, through so-called security factor 2FA, easily granted. Chances are, if it’s your phone, as 2FA verifies, you are probably with it. That’s the plan.

But it doesn’t end there. Actually, let’s go back to where it begins: the decision to implement 2FA. Technically, what does 2FA do, imply, suggest, or infer? That YOU, specifically, usually, and thereby identifiably, are within inches of your phone. So it’s actually a geo-location factor built inherently into a new, required access process.

You, at the moment you receive your 2FA code to access your account through your phone app, can only do so while found at the specific location from where the code was requested and/or received, give ir take maybe 10 minutes. While the same holds true for a thief, that’s not it’s intended value. It’s intended value is to know exactly where YOU specifically are on the planet when YOU want to gain access to your valuable account.

Yet, we would not be remiss to think of 2FA as punishment. The account holder is punished for not letting the account have 24/7 access like it wants in order to steadily monitor and track the user. Sure, some apps time out. But that’s just to see if we’re still there, where we are/were, or if it needs to update the database, because inactivity means we could be on the move. So rather than suffer the gross inconvenience of dealing with 2FA on account logins set up for ease of access, the user is nagged until they eventually give in, and decide to just always leave the app on.

In all these scenarios, 2FA wins and the user loses: privacy, security, anonymity. So, who exactly might want to be uninterruptedly processing all our smartphone information…? Most likely, without government regulation. And why…?

UPDATE: So here’s the deal. My issue noted above mainly has to do with my university’s new process. But now my bank is insisting, even when 2FA is turned off, that I comply with a text message to access the account. At the end of the call, the representative finally laid out what the issue is: Don’t I have face or fingerprint identity activated? Oh, and irony of ironies…though we are witnessing the bold execution of irony…at the start of that phone call a prerecorded voice said my call was being both recorded and monitored, and did I wish for the convenience of making a voice identification recording that would be used to identify me down the road? Face, voice, fingerprint. It’s not a future gig, it’s the future already here.

So that’s the ‘why’ noted above. It’s a push to get you and me and the rest of the planet into identifiable databases by face and fingerprint and voice, the three merging no doubt, in order to access our personal, private data; and, of course, to more concretely identify our online activities. As the future unfolds into today, unwillingness to agree to being identified by face and/or fingerprint and/or voice on your electronic device will mean no access. And they’ll tell you that…in the name of security, never mind security trumping privacy as a matter unto itself that will result in global compliance someday…there’s absolutely nothing they can do about it…You must, and will, comply in order to participate as required.

Views: 0