When Two-Factor Auth Stops Being Two Factors

Recently I got my phone stolen at a busy bar in NYC after attending an OWASP meetup and going to hang out with a few of the fellas afterwards.

Having your phone stolen definitely makes you feel like a victim. I’m not particularly worried about any of my data because my Android phone has remote wipe, a 15 character password, encryption enabled, and a bunch of other stuff.

The following day I got my new Android phone and it was time to start installing everything all over again. This included adding some of the following:

  • 2 factor Authentication apps (Authy, Google Authenticator)
  • Google accounts (business, personal, etc..)
  • Other email accounts
  • Personal banking apps
  • Productivity apps (for expense reports, time management)

I quickly noticed that all the accounts I was putting back onto my phone had two factor authentication (as they should). But I also noticed one common theme, for every account, the second factor was my damn phone. I would add my banking app, and I would have to put in a code I received via SMS. I would add my google account and I would be prompted to put in my Google Authenticator token. It really made me think is two factor still a valid authentication scheme if my second factor is my device? To me it isn’t. What if my phone is compromised via malware? The security validity of second factor suddenly goes out the damn window. Don’t get me wrong, having two factor auth on your mobile device is still better than not having it at all. But it definitely isn’t nearly as effective of a security solution as it is when using it for 2 factor authentication on a computer.

With the meteoric rise in BYOD where employees are adding company and personal accounts on their mobile devices, they are being urged to use two factor authentication. It seems to me that this is becoming more of a “security by obscurity” solution rather than a viable solution to the authentication problem we are faced with. I am seriously considering getting a separate device just to do 2-factor authentication with or just going back to a flip phone 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *