Login Security plus 2FA

Jan 2023

UPDATED Oct 2023

The page title ought to be “Don’t tell them your name Pike“, read on to find out why πŸ™‚

To cut to the chase. It seems that a lot of “decision makers” that implement “Login security” appear to NOT have a good understanding of “basic security” and “User behavior”. It also appears that some “security” personnel can’t get their heads round the fact that a lot of people use more than one “device” to access “Web Services”. It also appears some people that implement 2FA (2 Factor Authentication) security just don’t get security! The implementation of 2FA (where a code is sent to complete a login) has become a mania and appears to be seen as a panacea for logging in securely but in most cases it offers no increase in security It mainly creates an unnecessary hurdle for genuine users.Β  Read on.

I’ve decided to put the conclusion here, instead of at the end but please continue reading to find out why the sending of a code under the guise of 2FA is pseudo security. Hopefully it will help to increase your knowledge. Knowledge is power πŸ™‚

Conclusion.

  1. An attempted login using the correct credentials does not prove that the login is being made by a genuine user. How can it?
  2. The sending of a “2FA” code does not confirm that the login is being made by a genuine user. How can it?
  3. The code does not provide any additional proof that the attempted login is being made by a genuine user. Even the genuine user doesn’t know the code until it is retrieved.
  4. The sending of a code can not confirm that the attempted login is being made by a genuine user. How can it!

If 2FA is being implemented.

  1. It MUST be in the form of an additional Challenge that asks for information that only a genuine user would know.
  2. The sending of a code is not a challenge and does nothing to confirm that the attempted login is a genuine user.
  3. The only time the sending of a code improves security is when the code cannot be accessed.
  4. The sending of a code is Pseudo Security that creates an unnecessary hurdle for genuine users attempting to login.

The sending of a code or the request for additional information by email or SMS could be a security risk itself. If the “response mechanism” is compromised, it could give others details of the email address or phone number. This is probably a very low security risk but would be along the lines of a “man in the middle” type compromise. This could be prevented by having the login screen asking for the additional info e.g. 3 challenges instead the normal 2. To be clear the sending of a code would become redundant. The third challenge would ideally be additional info that is not stored in a way that could be compromised.

The use of 2FA (where a code is sent) could be viewed as SnakeOil and is used by people that don’t have a real grasp of security.

End of Conclusion.

Below is a very lengthy explanation of secure logins which should be known to security professionals. If you are a decision maker imposing the use of 2FA (where a code is sent), you really need to read this and become informed.

Basic (login) Security (Decision makers don’t appear to know this)

Uses 2 challenges, “User ID” & Password. These 2 bits of information should only be known to the “genuine” user.

The first challenge is the User ID which should not be easy to guess but if the User ID is an email address, phone number or a “common use” ID that is easy to guess e.g. employee number, it doesn’t offer much security. Quite often the log on screen instructs you to input your email address or phone number for the User ID, doh. That isn’t a Challenge, it’s a “Don’t tell them your name Pike“!

The second Challenge is the Password which should not be easy to guess and should only be known to the genuine user but “weak” passwords are fairly easy to circumvent and don’t offer much security.

Entering the correct User ID & Password a.k.a. Credentials does not prove that a genuine user is logging in, it only proves that the login credentials are correct! Keep that in mind.

Logging in / on to any device for some people is a PITA and puts a hurdle in place and this is by design. The login procedure is designed to offer challenges to try to make sure that you are the genuine user. Unfortunately we seem to have developed a culture where everything has to be instant and logging in impacts the “do it now” situation!

For people that only have one “Device” e.g. Desktop / Laptop / Tablet / Mobile phone, having to “Log in” can be seen as a PITA. If the “Device” is only accessed by one person, there doesn’t seem to be any valid reason to enter “User ID and Password” (because its me). However, to cater for situations where the device is “compromised” and others now have access to it; If they don’t know the User ID and Password they are unable to use the device and are unable to access any data on the device.

Logging in to a device is the most basic security method and is a good thing to do, even if its a PITA! Most devices also offer a “Screen Lock” where you have to enter a “code” to unlock the screen. A lot of / maybe most people find this to be very much a PITA but it does mean that your device is more difficult to be “compromised“. No one can use the device if the screen is locked and the unlock code is not known so this is a very good security feature but can still be a PITA. Fortunately the “timing” of the screen lock can often be amended to be more user friendly.

Logging in to a “Network Device (Desktop / Laptop / Tablet) that is part of a network (LAN) enables the use of “Network Facilities” (File sharing, Printer sharing). Having to enter the User ID and Password helps with data protection and as above it is a good thing to do but when there is requirement to lock the screen after “x” mins of inactivity and you have to enter the credentials again that is a real PITA. Having to keep entering the credentials several times a day is definitely a PITA and a lot of people find it an annoyance but acknowledge the importance of “Data Protection” and security of the device.

Generally, having to log in using a User ID and Password is an inconvenience, it is a hurdle that most people would like to circumvent but having to log in helps to keep your device and data safe from “prying eyes”. Rock, hard place comes to mind!

When we log in to a device that is part of a network, we need to accept the need to log in securely. When we connect to the Internet, we are connecting to a “Global Network” which gives us the potential to connect with Millions of other network devicesΒ  and we NEED security put in place to help keep us (our devices) safe from being compromised.

Using a simple User ID & Password however offers little by way security and does not “prove” that the “person” entering the “credentials” is the “Genuine” user. It only proves that the correct credentials are being used. Keep that in mind

Without any doubt, one of the most secure method of “logging in” is to use a “Strong” password, along with a User ID that is not easy to guess. The person attempting to “log in” would only need to know 2 bits of information, the User ID and Password. However it should be noted that the person attempting to login using the correct credentials might not actually be the person that was issued with the credentials. Keep that in mind!

A “Strong” password is (currently) considered (by security professionals) to be a minimum of 15 alphanumeric characters which are made up of upper and lower case characters, numbers and “symbols” e.g. @, #, > etc. If you throw in the “randomly generated” passwords, there is little chance of anyone being able to remember their password. If you then throw in a requirement to use a different password for the many “services” that you log in to and throw in the different user ID, it can be seen that User ID and passwords (strong or weak) are not the ideal solution. The typical computer user just wants to use the computer and do what they want or need to do. Having to enter a user ID and (not easy to remember) password is very much a PITA and this often leads to (genuine) users using creative methods to bypass the “stupid security”. Yes, a lot of people think that “security” is a stupid PITA and stops them doing what they need or want to do. Keep that in mind!

With regards to passwords. The power of computers is increasing rapidly and the “Strength” of a password is mainly governed by the number of alphanumeric characters used and maybe along with other factors. this link gives a chart to compare the various options of passwords.

Note. The chart maybe out of date due to the constantly increasing computer “power”. A password that took 5 weeks to crack might now only take 2 weeks. This is the reason why Security Techs advise on changing your password on say a monthly basis because it reduces the chances of your password getting cracked and ultimately your device being compromised. It is indeed a double edged sword! having to keep changing your “not easy to remember” password is a PITA but Changing your password on a regular basis should help stop it being “cracked”.

Check your Password to see how secure it is. Note, I’m not sure of the accuracy of this but have a play.

Note. Password “crackers” tend to use “offline” facilities that don’t have a restriction on the number of times the incorrect credentials are used before being locked out. Password cracking software is improving all the time as is the processing power of Computers.

With regards to having to provide “Different Credentials” to access “Different services”, most people find this an inconvenience and actually write their “credentials” in a “little book”, you do don’t you πŸ™‚

A work round to keeping track of all these “credentials” could be to use a “Password Manager“, these are considered to be very secure but can and have been known to have been compromised. See LastPass, they have been compromised. πŸ™

The use of a strong password that you change on a regular basis will help to stop your device being compromised but at the risk of repetition entering a User ID & PW does not prove you are the genuine user. How can it!

Surely there has to be a better way! Indeed there are better ways and there are some that just offer nothing more than pseudo security and extra unnecessary hurdles for valid users.

Secure logins are unfortunately a requirement that we can’t escape. The most secure methods of logging in make use of MFA (multi factor authentication) where you use several “layers” / “bits” of information to “prove” you are the genuine user. The more “bits” of “personal information” that you can provide, make it more difficult to log in but also make it more difficult for “rogues” to log in, unless they have access to your “personal Information”. MFA (correctly implemented) “offers” challenges to try to confirm that the login is being carried out by a genuine user.

Using a User ID along with a strong password only provides 2 “bits” / “layers” of information and as already discussed this does not provide proof that the genuine user is attempting to log in.

More secure Login security.

To improve the login security, we need to provide additional information, in the form of an extra challenge, which (in theory) would only be known to a genuine user.Β  Enter 2FA (2 Factor Authentication).

The use of 2FA (where a code is sent) after entering your User ID and Password, appears to be becoming the enforced method by “decision makers” that are clueless about login security. It works by you logging in (to a service) using your User ID and Password and then a code is sent either via Email or SMS. You then enter the code to continue the logging in process. That sounds like a brilliant idea from a security view but in most cases it is a complete waste of time.

MFA (Multi factor authentication) should provide additional “challenges” and ask for additional information (that should only be known to a genuine user), to try to confirm that the attempted login is a genuine user. The sending of a code via email or SMS is NOT a CHALLENGE, it merely provides an extra bit of information that even the genuine user has no knowledge of until the code is received. The sending of a code does not provide any additional proof that the attempted login is a genuine user. If the code can be accessed by the device being used to log in, there is absolutely no improvement in security and is a waste of time!

The sending of a code, is poorly implemented 2FA and does not offer any extra challenge(s) and this makes it a pointless exercise at best it is pseudo security. The “Emperors new clothes” springs to mind!

Microsoft have an “Authenticator” app that is installed on your phone. When an attempt is made to log in to your MS account, a code is sent to the app (on your phone). This sounds like good system but it does not prove you are the genuine user. It only proves that you have access to the phone and Authenticator App. In this example you are providing 3 bits of information (User ID, Password and 2FA code), it maybe ought to be called 3FA πŸ™‚

Unfortunately the only thing that sending a 2FA code achieves (in most cases) is putting an extra hurdle in place for the valid user logging in. In most cases it does not achieve any increase in security. It is akin to the use of the “CAPTCHA challenge” (where you have to click all the pictures that contain traffic lights etc to prove you’re not a robot) but probably not as annoying!

In most cases (poorly implemented) 2FA achieves no increase in security and never proves that the login attempt is being made by a Genuine user, how can it!

If the sending of a code could prove you are a genuine user, there would be no need for a password but the sending of a code can not prove you are a genuine user, how can it!

The sending of a 2FA code would seem to be a good idea and might be advantageous in some situations but it does not “prove” that you are the “genuine” user that is trying to log in! It just acknowledges that the “person” or “Bot” has all the login details and access to the 2FA code. This is true of any system that relies on a “User ID and Password”. At best, in most cases, the sending of a 2FA code is nothing more than Pseudo security. We will ignore that SMS and Email are not encrypted so the “code” is sent as plain text because it doesn’t really matter! 2FA poorly implemented is a waste of time and effort. If 2FA does not provide any additional challenges, it is pointless and mostly a waste of time! The sending of a code is NOT A CHALLENGE, it does not ask for additional information that should only be known to a genuine user. The sending of a code makes the assumption that only a genuine user would have access to the code and in many cases this maybe be true but at the risk of repetition it does not prove that the genuine user is attempting to login. At the risk of repetition, entering the correct UN & Password does not prove you are are genuine user. The sending of a code does absolutely nothing to confirm you are a genuine user, How can it?

The following scenarios should give you a good idea of how 2FA is used and its effectiveness or lack of!

Scenario1. You are logging in to a (Web) service using an App on your phone. You either input the User ID and Password or you use the “saved credentials”. You are then sent a code via Email or SMS. You then swap to the Email or SMS App screen to retrieve the code and swap back to the login screen and enter the code – from memory or use the copy n paste option. The login is completed but there is “no proof” that you are the “Valid User“. The login credentials could have been compromised. The 2FA code is sent to the device being used to log in, DOH! Yes that is a bit of a Homer Simpson situation. The sending of a code is then just “Pseudo Security” that has not achieved anything other than make it more difficult for the “genuine” user to log in! The code being sent to the device being used to log in is stupidity at the highest degree and indicates that the people responsible for implementing 2FA don’t actually understand security at the most basic level. It could be a sketch from Monty Python, it is so ridiculous its actually quite funny. Unfortunately security is serious stuff.

The whole point of secure log ins is to make sure that the log in is being made by a genuine user by using challenges that ask for “information that is (should) only be known by the genuine user. Sending a code either via email or SMS is an abject failure and is akin to “Don’t tell them your name Pike” πŸ™‚ 2FA is, generally a box ticking exercise unless it is implemented correctly e.g. it gives an additional challenge(s).

Scenario2. You are logging in to a (web) service using your Desktop / Laptop / Tablet using a browser or App. You enter the User ID & Password and are then sent a 2FA code via SMS or email. In the case of SMS, you check your phone (a different device) for the code and this is (potentially) good because it means that the log in is being attempted by someone who has knowledge of the login credentials and has access to the SMS code. It still doesn’t prove that you are the genuine user but knowing the credentials and having access to a different device would suggest that you are a genuine user. Where the “user” does not have access to SMS, the use of 2FA makes it impossible for the (genuine or other) user to complete the log in. In the case of email its just a case of checking the email for the code, using the same device that is being used to log in to a web service, therefore no increase in security and utter waste of time. Monty Python again πŸ™‚ Have a laugh the Parrot sketch is very funny but think of the shop keeper as a decision maker enforcing 2FA and the sending of a codeΒ  πŸ™‚

Scenario3. Someone has stolen (or borrowed) your phone and attempts to log in to a (Web) “service” maybe via an App. In many cases your User ID and Password are saved by your browser or other (because you allowed it to). So the “rogue” attempts to log in using the “saved credentials” and is then sent a code via Email or SMS, all the “rogue” has to do is check the Email or SMS (using the “stolen / Borrowed” phone) for the code and then enter it to complete the Log in process. 2FA in this case is a complete and utter waste of time! The 2 problems here are the storage of log in credentials (but most users would consider it an advantage not having to remember the “credentials”) and having the 2FA code sent to the same device being used to log in. To be clear, if the phone is stolen (or borrowed) the 2FA code sent by email or SMS can easily be accessed by the person attempting to log in and that is an idiotic situation. It isn’t even pseudo security, it is just plain stupid and is akin to “don’t tell them your name Pike“. If the phone has a screen lock, this would help to stop others having access to the device and would put a good hurdle in place. Unfortunately screen lock codes are not always difficult to defeat. If the screen lock code cannot be defeated, this scenario would not be possible because the device can not be accessed.

Scenario4. “Someone” is attempting to log in to a (Web) service using your User ID and Password. The 2FA code is sent by email or SMS but the “someone” doesn’t have access to your phone or email so isn’t able to retrieve the code. In this case the sending of a 2FA code has prevented a “rogue” log in. At last a meaningful situation where the sending of a 2FA code is actually increasing security and is effective!

The sending of a 2FA code is useful in some situations. Where the code can only be accessed from a different device to the one you are using to log in to a service. e.g. you are using your PC / Laptop / Tablet to access maybe your bank account. The 2FA code would then be sent via SMS to your phone. In principle this is a good option but does not actually prove you are the “genuine” user. All it proves is that you have the login credentials and that you have access to the 2FA code. The use of 2FA should add an extra “layer” of logging in protection by offering an additional challenge but in most cases the extra layer just adds an extra hurdle for valid users and at the risk of repetition, it does not prove the attempted login is a valid / genuine user.

You could be using your “Mobile Device” to access the “service” but if the “Mobile Device” is stolen, the 2FA code can be easily accessed by the thief. In this case 2FA is a complete and utter waste of time. A screen lock code would, in this case, be more effective than a 2FA code being sent.

Your “Network Device” could be capable of receiving SMS maybe via Microsoft “PhoneLink” or “MySMS”. In principal the sending of a 2FA code is more of a chocolate fireguard than a security feature. In most cases it just makes it more difficult for the valid user to log in and does not and can not prove that the attempted login is the genuine user. How can it!

People implementing the sending of 2FA Code and indeed bullying people to use it need to understand this. They need to stop being clueless and fully understand that sending a 2FA code does not prove that the person logging in is actually the genuine user. It only means that the person attempting to log in has access to the credentials and the 2FA code. Sending a 2FA code is pseudo security that adds an extra unnecessary hurdle to genuine users. In most cases the sending of a 2FA code offers no real increase in security. Poorly implemented 2FA. e.g. when it doesn’t offer any additional “challenges” that would only be known to the genuine user is pseudo security and is a complete and utter waste of time and effort.

If the “2FA code” could only be sent to a different device to the one being used to log in, it would make more sense but would still not prove that the person attempting to log in was the Genuine user. MFA (Multi Factor Authentication) only works when correctly implemented by people that understand what a “Challenge” is!

The whole point of secure logins is to provide “challenges” to try to confirm that the log in attempt is being made by a genuine user. The more “bits” of (personal) info that can be provided are the basis of MFA.

If 2FA was a “challenge” and asked for additional “personal” information (that is stored in the account details), it would be a game changer. If you received an email or SMS asking for “personal Information” instead of a 2FA code e.g. “What was Registration number of your first car”, that would be a game changer. It would still be an extra hurdle to logging in but would make 2FA a good security option because it satisfies the “Multi Factor Authentication” requirements and it wouldn’t matter if the 2FA request could be accessed by the device you are using to log in because (in theory) only a genuine user would know the information being requested. Its weakness is users who are careless with their credentials and personal info and in situations where the account info has been compromised. It would be even better if the challenge asked for Information that is not stored in the account details and would only be known by a genuine user e.g. “what was the amount of your last bill”. However, that is not easy to implement but is REAL SECURITY. The sending of a code that can be accessed by the device being used to login, does NOT improve security and does NOT add any challenge to “test” if the login is being made by a genuine user, how can it!

There has to be a better way for genuine users to access devices and services that are user friendly but still have a high level of security. It can be seen that using a user ID and Password along with the sending of a 2FA code does not prove that the login attempt is being made by a genuine user and are akin to “Don’t tell them your name Pike“.

Alternatives to entering user ID and password.

Microsoft have enabled to use of a PIN to log in to Windows, this avoids having to use a “difficult to remember” password and is worth having a look at but a PIN that is all numbers is relatively easy to crack so changing the PIN regularly is a good idea but see below “Device Fingerprinting”.

Android and Apple devices have similar methods in place. “Lock Screen Passwords” are also used by all. The “code” for unlocking a screen can be a choice of methods from entering a “PIN” to having a “pattern” drawn by a finger. This is a very good security feature and is not easy to defeat but not impossible.

Other Methods of secure logging in.

The whole concept of Log in Security is / should be based on “Multi Factor Authentication” but should be “user friendly” so we need to look at alternatives. It is clear that logging in using a User ID & Password is not the ideal solution and we need to get away from logging in using this method. The alternatives have been available for some time but seem to be slow to catch on. Keep reading πŸ™‚

Biometrics. Could dispense with having to use a User ID & Password and instead use maybe “fingerprint”, “voice or face recognition” etc. Biometrics are not easy to circumvent but can be unreliable when you have say grease on your finger tip or you happen to lose a finger or you have had a good session in the pub and you are not “looking your best” πŸ™‚ Biometrics can be compromised but not easily. Generally a better option to entering UN & PW.

Device Fingerprinting. In a “normal” situation where you are using your regular Phone or PC to log in to a service. You would enter your User ID and Password and if your “Device Fingerprint” hasn’t changed, the log in would proceed. Unfortunately, this has the limitation of 2FA, in that it doesn’t “prove” that you are the “genuine User” but can prevent attempted logins from unknown devices. Google, Microsoft and others send out an email and / or SMS advising that “You have logged in from an unknown device” and basically ask the question “was it you”. That is a pretty good security feature but not if the email / SMS can be accessed by the “unknown device”, DOH! The main advantage of this is that it alerts the genuine and rogue user about the login and makes it possible for the genuine user to block the log in if it wasn’t the genuine user but it also means that the “rogue” could select “it was me” so again it is pseudo security. “Don’t tell ’em your name Pike” πŸ™‚

Most people who deal with computer and network security are not “decision makers” but they know that every (network) device has a unique ID and this is the MAC (Media Access Control) address. The MAC address (often called the Hardware Address) is always a unique identifier and is “hard wired” into all “network devices” at the manufacture level, it never changes. The MAC address can however be “spoofed” (and often is), to get round some situations but it is still possible to create a “Unique device Fingerprint“. In addition to the MAC address, other things like CPU ID and basic hardware info, can all be used to create a “Unique Device Fingerprint“. However, this “Unique Fingerprint” can only be relevant to the device and not the user but the use of “Device Fingerprinting” is often a better option to poorly implemented 2FA e.g. the sending of a code.

Note. The MAC Address can be spoofed and SIM cards can be cloned but the Device Fingerprinting doesn’t rely on just one bit of information.

The Santander Mobile Banking App is awesome and is developed by people that seem to understand security and user friendliness. Security is achieved in a way that makes you feel that you are being “looked after” and you don’t have to jump through hoops to look at your bank account. After installing the App, you go through a series of security challenges and from then on all you need to do is enter a “code” which is only known by you. You don’t have to enter a UN & PW because you have registered your device. It doesn’t matter if your phone is stolen or you don’t have a screen lock code. If the log in code is unknown; access to the banking details is not possible. Without a doubt Santander have made the use of (poorly implemented) 2FA redundant, well done Santander. From a user friendly point of view it is spot on. However, if “the code” is not at least 10 alphanumeric characters and doesn’t change on a regular basis; it could be “cracked” fairly quickly. This ought to be addressed but If the phone is lost or stolen, it could be “wiped” or blocked remotely or it could have a strong screen unlock code and this would prevent the use of the phone so the use of 10 Alphanumeric characters is possibly redundant.

Smart Cards and Dongles. provide a high level of security and cannot be easily compromised. With Smart Cards, it is usually a case of swiping the card through a “card reader” or the card is inserted into a “port”. The card contains the User ID & PW and any other security “tokens”. It is very secure and very user friendly, win win. USB “dongles” work in a similar way but don’t need “card readers”. There are other “dongle / fob” type devices that are very secure but most security methods are not 100% fail safe and in some cases need more than one method or a combination. Security and user friendliness need to achieve a balance.

Log in Security Summary.

  1. Logging in to a device is the first hurdle. Having knowledge of the credentials does not prove you are the genuine user but without the knowledge of the credentials, you are not able to use the device.
  2. Using a User ID and Password only indicates that the person trying to log in is someone who has access to these details. It does not prove that you are the valid user. A User ID and Password only provide 2 “bits” of information and these can often be “obtained” using Social Engineering.
  3. Using a User ID and Password along with a 2FA code only indicates that the person trying to login has access to the login details and the 2FA code.
  4. Biometrics negate the need to use passwords and the sending of a 2FA code (pseudo security).
  5. Smart Cards negate the need to use user ID and Password, 2FA and Biometrics. They can be used to offer the highest levels of MFA and are not easy to defeat.
  6. Allowing your Browser / Google or other to remember your login details is a very bad idea but is very convenient!
  7. Having a “Device” screen lock is a good secure option but is often a PITA.
  8. Having a “Layered Defense” system is always a good idea but needs to be user friendly.
  9. 2FA is “pseudo security” unless it is implemented correctly by giving an extra challenge.
  10. Device Fingerprinting is often a better way of implementing login security than poorly implemented 2FA.
  11. The use of Biometrics or Smart cards appear to be the way forward, if implemented correctly.
  12. Smart cards are more suited to “network devices” that can incorporate “Card Readers”.
  13. Biometrics are more suited to “Mobile Devices” but can be used by “network devices”.

Most people that use “computers” and “Smartphones” probably don’t care about “Security Risks”, they just want to get on with what they want to do and most people that implement “Security” don’t appear to understand “ease of use” for users. Without any doubt people need to use “computers and smartphones” in a secure manner to help prevent “fraud” and other “compromise”. Security personnel need to “work with users” to make sure that the users are connecting to the various “secure areas” in an easy manner that still offers real security.

Halt, who goes there are you friend or foe“. “Friend”, “OK you can pass” πŸ™‚ (doesn’t cut the mustard)

You can’t cross the bridge without permission“. “Can I have permission?”, “Yes, please cross” πŸ™‚ (doesn’t cut the mustard)

Your code to complete the login is xxxxx, please enter it“. That is just silly (doesn’t cut the mustard)

If we want absolute proof that the attempted “Log in” is a genuine user, we can have a problem. Having knowledge of the user credentials does not prove you are the “genuine user”. User ID and Passwords can be and are often compromised.

Biometrics can help “prove” that the person attempting to log in is the “Real McCoy” and may be the way forward but it isn’t without its problems. It is very difficult to circumvent but not impossible.

2FA codes being sent (via email and / or SMS) and accessible by the device used to log in are a waste of time and effort. The main achievement is an unnecessary extra hurdle to logging in for valid users. If 2FA is being implemented (where a code is sent and is easily accessible), the use of “Strong passwords” is pointless as is the use of Biometrics.

The use of Biometrics should negate the use of 2FA but 2FA is used because it “sounds like” a good idea but in practice it isn’t because of poor implementation e.g. it is not a challenge.

The only way of being sure that the “person” attempting to log in is a genuine user is to use Biometrics like fingerprint, retina or maybe voice recognition.Β  Biometrics can be defeated but not easily.

The use of CAPTCHA and 2FA don’t actually prove that the person trying to log in is the valid user.

The implementation and enforcement of the use of 2FA (where a code is sent) seems to be used by people that don’t have a grasp of security but if the 2FA code can only be accessed from a different device to the one you are trying to login to, it can be seen as a security improvement. It doesn’t actually prove that you are the valid user but it is assumed that someone who has knowledge of the user credentials and has access to another device to retrieve the 2FA code, is a Valid user. In reality, the use of 2FA is only useful in stopping logins by “bots” who don’t have access to the 2FA code.

As identified above, if the 2FA was amended to be a “challenge” asking for addition personal info; it would make the use of 2FA sensible instead of being a sketch from Monty Python.

It can be seen, making sure that people attempting to log in are genuine users is a bit of a challenge for security personnel. In many cases the “users” are the problem by being “careless” with their log in credentials and this is a challenge for security personnel. It can be seen that using User ID & PW along with 2FA code to log in is more of an inconvenience for valid users and offers limited (if any) extra security.

The sending of a code does not prove that the attempted login is being made by a genuine user. There is no way that the sending of a code can prove that the attempted login is being made by a genuine user!Β  How can it!

It is very likely that the “decision makers” enforcing 2FA and the sending of a code won’t be reading this and it would seem that they don’t have a grasp on basic security but they are good at ticking boxes so you are likely going to have to continue to jump through hoops to suit the pseudo security imposed by box ticking decision makersΒ  πŸ™

Logging in using User ID & PW along with sending a 2FA code is pseudo security and is mostly a waste of time. The use of Biometrics and / or Smart cards is far superior to 2FA (where a code is sent). The pseudo security personnel need to “up their game” and make it easy for valid users to log in without jumping through (unnecessary)Β  hoops.

Don’t tell them your name Pike“! (Dads Army)

When 2FA is being implemented, it needs to offer an extra challenge where it asks for additional information that would only be known to a genuine user. Ideally this extra info would not be stored in a way that could be “compromised” and would be info that is known only to the genuine user. The sending of a 2FA code is NOT A CHALLENGE and does not ask for additional personal information. The sending of a 2FA code does not prove that a genuine use is attempting to login.

If you want to achieve secure log ins, talk to the Devs who do the Santander Mobile Banking App, they “get” security and user friendly and they have set the bar to a high level.

Don’t tell them your name Pike