Two-factor authentication is the current gold standard of security for obvious reasons. Even if someone were to guess your password or it got leaked as part of a hack, no one can login to your account without physical access to your device. But it's still far from perfect for several other reasons, least of which is the inconvenience of setting it up and using it that prevents most from ever bothering with it.
Owing to that very inconvenience, I'd been fairly lazy with enabling two-factor wherever it was available, but that changed the day my EA Origin account was taken over, causing me to sweat profusely as I wondered if I'd ever get back access to the games that I'd spent thousands of rupees on. Since then, I've been quite proactive with two-factor on all my accounts, despite the frustrations it comes with.
For one, it stretches out the login process as you've to either wait for a login code, or open up an authenticator app to find the code. Two, since every two-factor system is not set up in the same manner, you have to juggle multiple apps as you go down the rabbit hole. Already on my iPhone, I've Authy, the Google app, Blizzard Authenticator, the Microsoft Authenticator, and the Steam app.
That's in addition to others that only support SMS or email (PlayStation, Paytm, and Indian banks, I'm looking at you), which don't work without Internet access or turn into a bother if your phone's offline, be it a network issue or when you are travelling internationally. But the much bigger annoyance by far is how easily these systems can turn on you, depending on who made them.
Take for example Snapchat, the popular ephemeral messaging app that now has over 150 million users, and has had to resist acquisition efforts from several parties owing to its massive popularity. On one hand, Snapchat's two-factor implementation seems great: it offers both SMS and app-based authentication, and you can create a recovery code if you were to ever lose your device.
But as I found out earlier this year, it's not perfect (even as it was partly my fault). Due to on-going troubles with my iPhone, which is another story in itself, I eventually gave in and reset it to factory settings. But although I took a backup, I forgot to unlink my two-factor accounts from the authenticator app I was then using, Google Authenticator. Moreover, I was lazy enough to have not created and safely stored a recovery code for Snapchat, though I did have screenshots for a few others.
As I began installing the apps I needed on my iPhone, I realised I didn't have access to any of my codes. But thankfully, most developers had foreseen this eventuality and prepared for it, allowing me to fall back on my phone number as a back-up option. Dropbox, Google, Amazon, and EA were all smart enough to do so, but, as you would've probably guessed, not Snapchat. The only way to get in was by using a recovery code, and I didn't have any.
Naturally, I reached out to Snap's support team on Twitter, hoping they'd be able to help me sort this out. After all, I still had access to my email and phone – the two things I used to register on Snapchat – and figured that would be enough to prove my identity. Alas, that wasn't to be the case. Without the recovery code, a Snap representative told me, I was all out of luck and would need to create a new account.
Ironically, in trying to keep my account more secure, I had ended up locking myself out. Who knew! Sure, it was my fault in not de-linking or writing down a recovery code, but that hadn't affected me with every other account with two-factor support. And yes, I could've also used a better authenticator in the first place – I've since moved to Authy – which synced my accounts to the cloud, and didn't maintain a local copy only, like Google Authenticator.
But it also shows how two-factor authentication can be a double-edged sword, and a poor implementation can do more harm than good. It can end up keeping out the very people that it's supposed to let in, and that can push people away from further adopting it. And that's a loss for everyone involved.
Owing to the Snapchat debacle, I stayed off the service for half a year, before giving into peer pressure during a holiday last month. More importantly, I've been more cautious while setting up two-factor on my accounts, ensuring that I would still be able to log-in if I were to land in a similar situation ever again.
And despite my sincere efforts, there are still gaping holes in the world of two-factor unfortunately, with the most obvious one involving having my phone stolen. To track it down, I'd rely on either Apple's Find my iPhone (or Google's Find my device, for Android users). If you've two-factor enabled on your Apple and Google account, you'll need a code from your phone to log into a new device to find your phone. It's a classic catch-22.
To get around that scenario, you'll need to have a trusted device, such as a computer, but if you don't have one around – the chances of which depend on where you're – you're likely to be stuck. Unless you don't use two-factor at all, in which case you'll be fine. That goes to show the inherent problems with the system, the fact that those opting for lesser security can actually be better off.
It also shows the need for a better system, though it's not clear what that would be. Accounts of old would opt for a security question, and then help you reset your password. But hacking that is mere social engineering. In an age of devices with fingerprint readers, a new way might be to allow the fingerprint as the second log-in factor, but the privacy ramifications of storing that info online would be enormous.
I certainly don't claim to have all the answers, but what my experience has taught me that two-factor authentication is great, until it's not.