And that’s not me trying to be edgy; I mean it. For a certain subset of the population – those who use strong and unique passwords – it is better to leave 2FA off.
First off, let’s define what implementations of two-factor authentication we’re considering, because not all 2FA are created equal.
These are the current mainstream implementations:
- SMS OTP
- Time-based OTP a.k.a. TOTP (Google Authenticator, Authy)
- Push Notification Authentication (Google Prompts, Microsoft Authenticator)
- Universal Second Factor a.k.a. U2F (YubiKey, Trezor Wallet)
We won’t be talking about U2F in this article because it requires specialized hardware and software that not everyone has access to.
We also won’t talk about Push Notification Authentication because it’s still relatively new and uncommon for non-enterprise use. Even with Google Prompts and Microsoft Authenticator, they’re only available for Google and Microsoft services – you can’t use them for 2FA with Facebook and Twitter, for example.
We’ll talk more about U2F and Push Notification Authentication in my next article. For now, let’s stick to what’s most readily available for most people: SMS OTP and TOTP.
A lot has been written about how SMS OTP is insecure, so I won’t beat that dead horse any further. What’s not often talked about is how insecure TOTP is as well. And how, if you adhere to basic security practices, you’re probably better off with both of these options turned off, even if that means you use a password as your one and only factor of authentication.
ʕ·ᴥ·ʔ: Wait, you mean to tell me that turning 2FA on could actually make my online accounts LESS secure?
Yep, that’s exactly what I mean.
Besides the obvious inconvenience of having to type a random 6-digit PIN every time you log in, all 2FA schemes bring extra complications into the authentication process that oftentimes mean less security, not more.
SMS OTP
Let’s start with the first popular 2FA scheme: SMS OTP.
If you forget your password while SMS 2FA is on, how do you reset it? Some service providers do this properly by using the email address that is associated with the account as the backup second factor of authentication. This way, if you’ve forgotten your password, you can still use SMS as one factor and email as another – still two-factor authentication.
Many service providers, however, don’t do this; they just allow you to use an SMS OTP to reset your password – one-factor authentication with an optional second factor! The password is the optional factor, while the phone is the main factor. If the service provider hashed your password when storing it on their database, you would have been better off with the password being the only factor of authentication. Nobody can steal it from you, nobody can SIM Swap it from you, you can use it when your phone is off or has no cellular signal, and even in a data breach all they’d get is the hash and not the actual password.
ʕ·ᴥ·ʔ: Okay, so the service provider has to apply some common sense when implementing password resets while 2FA is turned on, otherwise it defeats the purpose of 2FA. But if they do handle password resets properly, then wouldn’t I still be better off having 2FA than not having it?
Not necessarily. Even when the service provider handles the forgotten-password scenario right – by still requiring a second factor of authentication and using your email for that – you might still not be getting much, if any, extra security for it. Let’s say you’re in that subset of the population I was talking about in the beginning of the article.
Let’s say you:
- Use strong passwords; and
- Use a unique password for each account
Let’s further assume you’ve got a competent service provider who:
- Hashes all passwords stored on their database, and
- Implements 2FA properly, by always requiring two factors of authentication no matter the situation
In what situation would having SMS 2FA on make your important accounts safer? And I must emphasize important accounts, because nobody cares about your Twitter account unless you’re Elon Musk or Donald Trump. So that we’re on the same page, let’s say you keep some Bitcoin in a cryptocurrency exchange somewhere. In what situation would having SMS 2FA on keep your Bitcoin safe when having just a password would not have?
ʕ·ᴥ·ʔ: Uh, when I log in to make a purchase from an untrusted device, like at an internet café?
So even if the untrusted device sends your username and password to a hacker, they still can’t log in to your account because they would need your OTP.
ʕ·ᴥ·ʔ: Yeah. So I’ll be safe, right?
Well, no. If you can’t trust the device to keep your password safe, can you really trust the device to not send all your Bitcoin to some hacker’s Bitcoin wallet while you’re logged in?
ʕ·ᴥ·ʔ: Oh. I guess not.
You can’t. The device could easily just tell your cryptocurrency exchange to send all your money away. It could also change any legitimate messages you send to your crypto exchange. For example, you might send a message to transfer $15 worth of Bitcoin to Shopify, but the device could change that message into:
“Send all my money to Vlad, my best Russian friend.”
ʕ·ᴥ·ʔ: But I don’t have any Russian friends named Vlad!
Well now you do.
And even if the crypto exchange were to require another OTP to authorize the transfer, you’d type it in because the device would still be telling you that you’re just transferring $15 to Shopify. Forget the username, forget the password, forget the OTP; go straight for the money!
ʕ·ᴥ·ʔ: Crap. Okay, it doesn’t help there.
It kind of does in that the hacker can’t just steal your username and password and that’s all he needs, but it sure doesn’t make you bullet-proof, or even make you that much harder of a target. If you can’t trust the device you’re using, you can’t trust anything you do on that device. Even something as simple as logging you out, might not be logging you out.
How about you give me another situation where you think SMS 2FA would protect you?
ʕ·ᴥ·ʔ: Uhh, when I accidentally type my login credentials into a phishing page?
If you’ve accidentally typed your login credentials into a phishing page, then you’ll probably also accidentally type your OTP into the same phishing page if it requests for it. If the hacker is there paying attention to everything happening in real-time, or if the phishing page is set up to automatically log the hacker in to your account, he’s still getting access.
How about you try again?
ʕ·ᴥ·ʔ: Uhhh, when I’m getting man-in-the-middle’d?
Just like with being on a phishing page, if you’re sending your username and password to a hacker, you’re probably going to be sending him your OTP as well.
Try again.
ʕ·ᴥ·ʔ: Uh, uhh, uhhh, malware on my computer, but not on my phone!
And so the malware’s sent your login credentials off to some hacker somewhere, but they don’t have your phone and so they can’t get your OTP.
ʕ·ᴥ·ʔ: Yeah! Then I’m safe, right?
Maybe? I definitely wouldn’t use the word “safe”. Like, you could still get SIM swapped. More likely, however, the hacker can still use what he’s already got on you: malware and credentials. The hacker might perform a phone number change on your account on the grounds that the phone was stolen, using your associated email address (which they also have the credentials for, courtesy of the malware) as the second factor of authentication. Or you could connect your phone to your computer via USB and get it infected with the malware too. Or they could have the malware perform a man-in-the-middle attack the next time you try to log in to your account. Or they might just skip the login entirely by having the malware steal your session cookies to hijack an already-logged-in session. Or they could skip using their own devices and just use yours to send all your Bitcoin to their wallet the next time you try to make a purchase – it’s a trusted device that can’t be trusted! Or–
ʕಠᴥಠʔ: Crap. Okay, okay. When malware is involved, all bets are off.
Yeah. When malware is involved, it’s just like using an untrusted device; you can’t trust anything you do on it.
So even when 2FA is implemented properly, turning it on with SMS OTP adds little extra security, but lots of extra complication and inconvenience.
TOTP
Now let’s turn our attention to TOTP. In terms of usage, it’s pretty similar to SMS OTP: you have to enter a random 6-digit PIN every time you log in – still annoying. It is, however, more convenient than SMS OTP, in that you:
- Don’t need a cellular signal to get the OTP
- Don’t need to wait for the SMS to come in
- Can get the PIN from multiple devices instead of just one phone (For Windows, there’s the Authy desktop app. For Google Chrome, there’s the GAuth Authenticator Chrome extension.)
- Can create encrypted backups of your database of TOTP secrets in case you lose them, in contrast to having to get a new SIM card with the same number from your telco
In terms of security, however, I’m about to say something that might be considered controversial: it is less secure than SMS OTP.
ʕ·ᴥ·ʔ: Pffft! Well, that’s just your opinion.
No, I mean it is objectively less secure.
ʕ´•ᴥ•`ʔ
In case you don’t know, TOTP works by hashing a secret seed which is just a string of characters (kind of like a password) with the current time (kind of like salting a password) and truncating the result (turning it from a 40-character string into a 6-digit PIN). So, essentially, it’s just a second password that you salt-hash-truncate first; and then you enter it into the login page. So why do I say that it is objectively less secure? Because that secret seed – your “second” password – is stored in plaintext on your service provider’s database. They need to know exactly what your secret seed is in order to salt it with the current time, hash it with some pre-determined hash algorithm (usually SHA-1), and truncate it so that it doesn’t take you ridiculously long to type it in (‘cuz you don’t wanna’ type in 40 random characters). And then, finally, they can verify that, “Yep, you entered the right 6 digits. You’re logged in.”
So what’s so wrong with having a second password that’s stored in plaintext on somebody else’s database? Well, those databases get breached all the time. I’m not joking when I say that if you maintain basic security practices, your password manager is safer than any corporate or government database, for the simple fact that the pros aren’t targeting you. They’re too busy targeting the big fish: Google, Facebook, Microsoft, Apple, the U.S. government, etc. And when they do breach those guys’ databases; as long as your password is strong, unique, and hashed (it doesn’t even need to be salted); you can rest easy knowing that you’re still the only one in the world who knows what your password is.
But not your TOTP secret seed! That thing’s exposed. The whole internet might have access to it after the breach. And hackers can now use it as one factor of authentication in trying to break into your account.
If your service provider implements 2FA properly (by always requiring two factors of authentication no matter what), then the hackers would be halfway into breaking into your account. If your service provider doesn’t – like in the case of allowing you to reset your “forgotten password” with just the TOTP – then the hackers have everything they need to take over your account. In contrast, if you had left 2FA off, they’d have nothing either way.
ʕ º ᴥ ºʔ: And I wouldn’t have to type in any 6-digit PIN’s!
Yep.
ʕ º ᴥ ºʔ: Or backup my TOTP database!
That too.
ʕ º ᴥ ºʔ: I could uninstall my authenticator app!
Yeah, but that’s not a big deal.
ʕ º ᴥ ºʔ: I can even log in when I accidentally leave my phone at home!
You mean your phone ain’t constantly attached to your body?
Anyway, getting back on-track, TOTP makes you much more susceptible to data breaches, which is probably the most common way accounts get taken over. It also doesn’t protect against real-time or automated man-in-the-middle and phishing attacks. Again, if you are putting your username and password into a phishing page or through a MITM connection, you’re probably going to put your time-based OTP in there too. And though they’re not susceptible to SIM swap attacks, passwords aren’t either, and you’re already using passwords anyway.
And then there are all these inconveniences that TOTP has that passwords don’t:
- You can’t memorize the secret seed (unless you can memorize a random 32-character string)
- Even if you memorize the seed (or write it down on paper), you can’t use it without an app or some other way to hash it with the current time and truncate it, and then use it quickly
- Those 6-digit PIN’s sure are annoying (ʕ·ᴥ·ʔ: Yeah.)
And sure, TOTP might protect you from a non-automated and not-real-time MITM or phishing attack, but SMS OTP does that as well, without making you susceptible to the all-too-common data breach. And while SMS OTP makes you susceptible to SIM swap attacks, at least SIM swap attacks:
- Require your phone number (the right phone number; you might have more than one *wink* *wink*), and other personal info about you and account info about your phone number to impersonate you
- Require tricking your telecom into transferring your phone number to a different SIM card
- Require that the attacker target you specifically, while in a data breach the attacker can target hundreds of thousands of plaintext TOTP secret seeds of which yours is just a statistic
So really, unless you’re posting every single nitty-gritty detail about your life (and your account with your telecom) online and in public, the only advantage TOTP has over SMS OTP is that you don’t need a cellular signal to get 6-digit PIN’s. And you don’t tell everyone on the internet every single thing about you, right?
ʕ·ᴥ·ʔ: Nope!
Then there’s no good reason for you to use TOTP over SMS OTP, and I’ve already made my case that there’s very little to gain from using SMS OTP when you use strong and unique passwords.
Passwords are here to stay
In conclusion, passwords have been with us as the first and main form of authentication for a long time, and with good reason: they’re confidential, they’re convenient, simple to use, and simple to implement. Yes, having so many is a pain, but I think it’s better to have lots of passwords in a password manager with encrypted backups in several locations, than have one password and be typing in OTP’s all the time.
Having said that, I do think two-factor authentication can be greatly improved. In my next article, I’ll be talking about the future of 2FA: where we are now, where we’re headed, and how long we’ll take to get there. If you want to be notified when I publish new articles, enter your email address down below to be added to my mailing list. Or, if you don’t wanna’ share your email address, you can subscribe to my RSS feed linked to in the site menu.