Two passwords are always better than one

Two-factor authentication adoption rates are low. Is it because cybersecurity experts are making the perfect the enemy of the good?


Two passwords are always better than one

Two-factor authentication adoption rates are low. Is it because cybersecurity experts are making the perfect the enemy of the good?

Two passwords are always better than one

Two-factor authentication adoption rates are low. Is it because cybersecurity experts are making the perfect the enemy of the good?

A few weeks ago I took an Uber home from the airport only to get stuck in standstill San Francisco traffic for an hour and a half in the middle of the afternoon. When it was clear that we weren’t going to be moving for awhile, my driver and I engaged in casual chit-chat about the usual things: politics, weather, the apps on our phones, and work.

“I’m sure you work in tech, everyone does,” he said. “So which part of it are you in?”

Never one to miss the opportunity to bring up online safety, I replied that I worked in security. Cybersecurity. A bunch of my friends and colleagues are white hat hackers, and we are all about protecting people on the internet.

“Whoa, are you, like... are you a hacker? This is great! I have so many things I have always wanted to ask someone about. You can’t actually break into my phone right now, right?”

Traffic wasn’t going to move anytime soon, so I pulled out my iPad to demo some of the tools and tactics that he’d need to use to improve his security, including two-factor authentication, a simple setting that can be enabled on many apps so that more than just a password is required to sign into an account. By the time traffic started moving again, he had downloaded and practiced using every tool on his personal phone, and he couldn’t wait to go home and tell his wife all about it.

For me, it was a rare win: I teach people about online security all of the time, but I don’t always get to see proof that they’ve adopted better security habits. When I took to Twitter to share the what I had happened with my fellow security, the initial response was positive. But I made one significant mistake. I brought up security’s favorite whipping boy, and all hell eventually broke loose.

“Two-factor authentication is security theater. It doesn’t do anything.”

“Two factor authentication makes you less secure than using a password alone.”

“Teaching people about two-factor authentication is security malpractice. You’re harming them.”

“People are too stupid to use it to protect themselves. Why should we even bother?”

As a security expert, you feel an obligation to help people stay safe online, but you’re keenly aware that there is a balance between security and convenience. No solution is perfect, but incremental solutions do make a huge difference. Helping a family member choose a strong password is often more productive than trying to get them to use something like PGP, which is more comprehensive but so complicated that they’ll never want to use it.

Lately, this making-the-perfect-the-enemy-of-the-good argument has flared up around two-factor authentication. The idea is that requiring two things — such as a password and a temporary PIN — in order to log in will be more secure than one.

In 2013, tech companies including Apple, Google, and Twitter began rolling out the option to turn on two-factor authentication. This was prompted by a series of high profile incidents: tech reporter Mat Honan’s entire online life had been erased by a teenage hacker and hackers had guessed the passwords of female celebrities, collected their intimate photos, and released them online. According to the digital civil rights group Electronic Frontier Foundation, “two-factor authentication (or 2FA) is one of the biggest-bang-for-your-buck ways to improve the security of your online accounts. Luckily, it's becoming much more common across the web.” Two-factor authentication could have prevented many of the cyberattacks that hit the news, including the Anthem breach that affected 80 million people, and the theft and dump of campaign chair John Podesta’s emails by politically-motivated hackers who sought to discredit Hillary Clinton’s campaign before Election Day.

For all of its success and potential to stop major attacks on high-profile individuals and corporations, however, consumer adoption rates for two-factor authentication are abysmal across the entire web. Most tech companies do not publicly release their numbers, but a recent report from Duo Security found that only 28 percent of consumers in North America had ever used two-factor authentication.

Many of the people who should be working to protect consumers often advocate against their best interests.

So why isn’t the security community rallying together to get every app to implement two-factor in every app and implore every user to turn it on? Well, because there are some scenarios where two-factor doesn’t work. This fact has infosec purists dead set against recommending it, even if on the whole it would do good.

The weakest form of two-factor delivers a PIN via text message, also known as SMS or Short Messaging Service message. This is also the most common form of two-factor, used by everyone from Google to Venmo. Vulnerabilities in any of the protocols that deliver texts to your phone — such as SS7, a signaling transport protocol responsible for phone number portability — can potentially be exploited.

Even though the presence of this vulnerability makes two-factor using SMS less secure, especially for high-risk targets, it is a significant improvement in security for the average person to use to protect their accounts. And in the presence of a weak or reused password, a weakened version of two-factor that is intrinsically difficult to exploit is better than having nothing at all as an extra layer of defense.

In an industry where every conversation turns into a discussion about how it is never possible for anything or anyone to be 100 percent secure, the problem with getting two-factor authentication into the hands of the average user isn’t the technology itself, it is the inherent nihilism in cybersecurity. Mentions of two-factor authentication on social media invite a Greek chorus of, “Well, actually…” followed by intense objections based on theoretical attacks and shaky reasoning that have no real-world impact.

Presentations and trainings about its benefits are treated as opportunities to ask “questions” that are little more than thinly-veiled attempts to point out perceived flaws to undermine both the technology and the speaker’s expertise. Any time facts and user data are used to strengthen an argument for two-factor authentication, detractors is seen as a challenge.

If this behavior stayed within the echo chambers of social media and conferences, it could be easily ignored and discounted. But it doesn��t. Many of the people who actively argue against two-factor authentication are security professionals in charge of protecting people who work for their company or who use their software. When two-factor authentication is presented as an option to improve security, nihilists are the first to argue that it is that it is “too complex” for users to understand, or that it would be a waste of time and resources because it doesn’t go far enough to protect people from every threat out there on the internet. This behavior is one of the reasons that many consumer websites and apps do not offer any form of two-factor authentication: Many of the people who should be working to protect consumers often advocate against their best interests.

Instead of celebrating incremental progress and improvements as small but important victories in the battle to protect people online, significant parts of the cybersecurity industry demand all-or-nothing solutions. Password reuse is one of the biggest privacy and security threats facing the web, and few tools exist to help people create and store unique, strong passwords for the dozens of accounts they use online. Many practitioners argue that password managers are unsafe because they have software bugs that can be attacked and exploited, even though the benefits of using a password manager to do this outweigh the risk of a password manager being hacked.

When faced with the challenge of building best practices for people with different security needs than their own, many security practitioners have difficulty identifying the most common risks and threats. This art is called threat modeling, and it means thinking about who or what is most likely to threaten the user’s security; Jennifer Lawrence probably has more to worry about from Redditors with rudimentary hacking skills than the NSA, for example. Making unrealistic assumptions about the capabilities of adversaries can end up shortchanging the user. While the prospect of zero day vulnerabilities being used to attack systems may keep a few security nerds up at night, in reality, they and the people they protect are more likely to be targets of a much easier and more cost-effective social engineering attack.

By focusing on highly technical, sophisticated adversaries and building security practices meant to withstand attacks from advanced criminal groups and three-letter agencies, many security practitioners forget that the most dangerous threats are often staring them right in the face. And when these same practitioners look for potential solutions to large-scale security problems, they get caught up in minute details that have little-to-no real world impact, or champion edge cases that apply to enabling highly-specific needs of dozens of users, not billions. In the process, they completely miss the fact that some security is better than no security at all, and that using the weakest version of two-factor authentication is still a net positive for everyone. In a world filled with unrealistic and counterintuitive security advice, there’s no good way for people to figure out what’s right or wrong, especially when the top results for security advice in Google results are wrong, out of date, and all contradict one another.

The unfathomable backlash against the adoption of SMS two-factor authentication among consumers is ground zero in the cybersecurity industry’s toxic, unrealistic expectations of perfection from people and the technology they use.

It’s not the only issue where minor differences in opinion turn into a massive arguments, but it is a perfect storm of constant criticism, stonewalling and contempt for users where neither side is more secure or stronger as a result of fighting it out. By engaging in it, technologists actively hurt the people they should be protecting from harm.

Jessy Irwin is researcher and cybersecurity educator who teaches people to protect themselves and their data online. She last wrote for The Outline about Facebook’s idiotic solution to revenge porn.