Why bother with Two Factor Authentication?

Good ol’ Correct Horse Battery Staple

Randomly generated passwords, son

I was recently forced to use Two Factor Authentication (TFA) for university with a phone as the authenticating device. They’ve been pushing TFA for several months but made it mandatory just in the last few weeks.

Using TFA feels like an impediment. I already have a strong password and am aware of social engineering tricks. Forcing me to use my phone every time (or once a week) to log in to a service that I need often gets in the way. Sure, some people benefit from more security nets, but was a full mandate necessary?

While TFA/MFA can certainly offer significant security redundancies, there is a more efficient method that also trains you to practice good security. No secondary device or super long password memorization is needed.

Use a password manager

These are exactly what they sound like. Password managers store passwords in an encrypted database that is locked by a ‘master password’ you create. Instead of memorizing passwords for each website, you just remember one master password to access everything.

Password managers solve the biggest problem with online accounts: reusing passwords with at least one upper case letter, numbers, and symbols. vegetable and Veg3T4b!E are similar to computers, but the latter is much harder for humans to remember. Let your computer make better passwords and remember them for you.

I use KeePassXC. It’s FOSS, cross-platform compatible, and has a handy browser autofill plugin. KeePassXC generates passwords with random characters of any length. Here are some examples (not actual passwords):

f!}N(c)"u]!O,75u8^{iXN3=i/C]#r

I¤kq»»3)õcóyЯæ4¶÷vÇYyrcÅç%&#ó@Ö¨-¿O±xQ¢

CN1CF3OzYYL66AShm2a22RifQTNwA9mfxR63gXblgDNyrXKmIX

The length and randomness mean that practically nothing can crack these. Instead of memorizing these passwords, you just copy and paste them into a login prompt. And the best part is: every account has a unique password. No two accounts share a password, which means that a compromised account doesn’t put other ones at risk.

Avoid online password managers

If you go around searching for password managers, you’ll likely run into online services like LastPass or BitWarden. Avoid these.

Just think about it for a moment. Out of all online services that store information, do you really want a collection of all your passwords on someone else’s server? LastPass has had several service breaches and urged customers to change their master passwords. Password managing companies are prime targets to hackers and are always under attack. Unless you know what you’re doing, keep your passwords offline where all liabilities fall on you.

Don’t fall for social engineering

Social engineering is the act of manipulating someone to give up sensitive information. It’s also known as phishing attacks. For instance, here’s an email I get on my university email account once a week or two.

Poorly written phishing attempt

Wow, why would anyone fall for this? It obviously looks fake

Here are the flaws of this email from a phishing perspective:

  1. The sender was not someone recognizable, like IT staff
  2. Very poor grammar and no persuasiveness
  3. The link does not look legitimate
  4. Doesn’t make sense. What does closing older mailboxes have to do with your current account? What does it even mean?

If you click the link and fill in your password, you become the victim of a phishing attack. This one is a poor example; hardly anyone would fall for these scams. However, at least one person always falls victim, and that one success is enough for the attackers. Otherwise I wouldn’t be seeing these emails every other week.

If you think the email above is easy, try the one below. I made it up, but it is based on phishing messages I have received before.

Decent SMS phishing attempt

This is a more targeted attack used against targets with some known information. Here’s how this message tries to attack:

  1. Proper grammar and wording
  2. The sender identifies themselves as an established, significant authority
  3. It looks real; a bank used by the target and matching card number digits
  4. Instills a sense of panic and urgency
  5. The link may look legitimate to someone unfamiliar

There are much more targeted and realistic phishing attacks than this. Some attackers can meticulously imitate emails from companies. Some spoof identities so it’s hard to tell they’re impostors. Some will find information about you to launch a very targeted attack.

The best tool against social engineering is logic and skepticism. Obviously, never blindly click or download anything you received online. Always question what could be happening. If an attacker is impersonating your bank, would the bank really communicate via SMS? The bank might state that they never ask for credentials, or they communicate urgent matters through email. Why not give them a call to check if you really have been compromised?

Some people need MFA

While I am against making MFA mandatory, it does benefit some people. Uncrackable passwords cannot save some people from voluntarily exposing their credentials, and MFA is the best defence for them. Implementing it should help reduce the overall number of compromised accounts.

But for the people that can use a bit of logic, MFA can mostly be replaced by password managers. Just use unique and strong, randomly generated passwords for each account and your risk of being compromised is instantly lowered. The rest depends on your ability to detect scams.