portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

How two factor authentication is never going to be adopted

posted on Wednesday 9th of October 2019 in ,

Last year Facebook spammed people who added their phone number to increase their account security. Now Twitter did it as well. Obviously it was a mistake, at least if you believe companies driven by ad revenue and by selling customers data. What most people will take away from those incidents is that companies tell you to add your phone number to improve the security of your account, but only use it to send you more ads and other unsolicited „content“.

Now people might argue that SMS is the worst form of two factor authentication – and from a technical perspective I fully agree. For targeted attacks a SIM swap is feasible in some countries. For people primarily posting cat pictures who would be a victim of not targeted attacks most likely not.

While it is not perfect, it is an improvement from a security perspective over „hunter12“ being the only thing preventing someone from taking over an account to post spam. It also is a good introduction to the concept of two factor authentication. It uses a medium users are familiar with, understand and does not add an additional layer of – what non tech savvy users might consider – inconvenience to get started.

Getting people to adopt two factor authentication is hard. And every small step into the right direction helps a lot, but this also means companies cannot leverage phone numbers they get for security reasons to spam their products customers.
We obviously cannot expect anything from Facebook or Twitter anymore, but if you are working on any system allowing two factor authentication via SMS please consider it part of your job to advocate and explain to the organization that those phone numbers are not to be abused.