This is the issue with the current state of 2FA. It’s either text driven (SMS) or it’s app driven, like the Microsoft authenticator, as an example.
Often “backups” overlap. Like people will use SMS as a backup to the Microsoft authenticator, when the MS authenticator is on the same device as the phone number for SMS verification.
Real, actual, good MFA, only has the problem that people don’t keep backup tokens around. If you use a Fido2 keyfob, you really should have a second one that authenticates the same systems the same way, but stored securely away from the one you carry with you.
In that context, backups are actually valid, because if the authenticator is on your keychain and you lose your keys, you have access via a backup on your phone (TOTP or similar).
If you lose your phone, you still have your Fido2 key as primary authentication.
If you lose both, you go and retrieve your backup security key and use that.
It becomes much more difficult to lose access if you’re aware of the limitations of the systems you use. For me, I use a password manager, for login I have biometrics from my PC, biometrics from my laptop, two security key fobs, and a backup TOTP code stashed away. I also got recovery codes and sent them securely to a trusted friend.
The only things not using a password from my password manager is my main email, which is used as a backup/recovery email for most services, my password manager itself, and my primary bank. For all of these I use unique, memorized passwords that are not short.
Any service that can use MFA has MFA set up, with the only exception being those that only support SMS as MFA. Fuck that.
If fido keys are allowed, then I set those up
If not, I use TOTP.
The TOTP keys are backed up and stored securely in an online system built for security for this kind of data.
I have contingencies on contingencies for my own access, but many people don’t even have one, or even a plan on what to do if things go sideways.
It’s a phenomenon I’ve noticed a lot, it’s like Rose colored glasses for getting things set up. People like to see how it works and get everything operational and happy, with absolutely no thoughts towards what happens when it fails? How will it fail and what will we do when it does? How do we recover? How do we continue to operate until everything can be put back together?
They see it’s fancy and works for them, and they’re super secure because they have MFA, but it’s only one kind of MFA, and they only have one of them. But they feel good because they have it.
Then they act shocked when their single MFA method breaks and they lose their accounts because they’re stupid.
This is the issue with the current state of 2FA. It’s either text driven (SMS) or it’s app driven, like the Microsoft authenticator, as an example.
Often “backups” overlap. Like people will use SMS as a backup to the Microsoft authenticator, when the MS authenticator is on the same device as the phone number for SMS verification.
Real, actual, good MFA, only has the problem that people don’t keep backup tokens around. If you use a Fido2 keyfob, you really should have a second one that authenticates the same systems the same way, but stored securely away from the one you carry with you.
In that context, backups are actually valid, because if the authenticator is on your keychain and you lose your keys, you have access via a backup on your phone (TOTP or similar).
If you lose your phone, you still have your Fido2 key as primary authentication.
If you lose both, you go and retrieve your backup security key and use that.
It becomes much more difficult to lose access if you’re aware of the limitations of the systems you use. For me, I use a password manager, for login I have biometrics from my PC, biometrics from my laptop, two security key fobs, and a backup TOTP code stashed away. I also got recovery codes and sent them securely to a trusted friend.
The only things not using a password from my password manager is my main email, which is used as a backup/recovery email for most services, my password manager itself, and my primary bank. For all of these I use unique, memorized passwords that are not short. Any service that can use MFA has MFA set up, with the only exception being those that only support SMS as MFA. Fuck that. If fido keys are allowed, then I set those up If not, I use TOTP.
The TOTP keys are backed up and stored securely in an online system built for security for this kind of data.
I have contingencies on contingencies for my own access, but many people don’t even have one, or even a plan on what to do if things go sideways.
It’s a phenomenon I’ve noticed a lot, it’s like Rose colored glasses for getting things set up. People like to see how it works and get everything operational and happy, with absolutely no thoughts towards what happens when it fails? How will it fail and what will we do when it does? How do we recover? How do we continue to operate until everything can be put back together?
They see it’s fancy and works for them, and they’re super secure because they have MFA, but it’s only one kind of MFA, and they only have one of them. But they feel good because they have it.
Then they act shocked when their single MFA method breaks and they lose their accounts because they’re stupid.