Compulsory two-factor authentication now the norm

When Google imposed two-factor authentication on Gmail users earlier this month, one of the last bulwarks of one-step user verifications fell by the wayside.

It’s increasingly difficult to perform any kind of transaction or information retrieval online without having to complete additional safety steps.

For some, this is a necessary counterweight against rampant cybercrime. For others, it’s a frustrating and inconvenient layer of bureaucracy, smothering what should be a seamless online experience.

So why has two-factor authentication become so ubiquitous? Can it be avoided? And is it really a long-term solution?

Max factor

Better known as 2FA, two-factor authentication describes the process of confirming your online identity with two separate pieces of data.

These are typically distributed via different platforms – a computer and a smartphone, or a website and a text message.

The idea is that a thief might discover your online password, or steal your phone, but they’re unlikely to accomplish both simultaneously.

As a way of reducing opportunistic fraud or impersonation, 2FA is already used by many of the world’s biggest online service providers.

You’ll need to complete a two-step verification process to access social media (Twitter and Instagram), send files (WeTransfer and Dropbox) or make purchases (Amazon and PayPal).

It does sometimes seem incongruous, verging on being downright irritating when a WeTransfer media dispatch is suspended until you enter a six-figure verification code.

Ecommerce sites may be justified in offering the highest level of consumer safety possible, but other platforms have adopted 2FA with rather less justification.

What’s the big idea?

Generally speaking, companies have rolled out 2FA because it reduces their – and by consequence their customers’ – exposure to online fraud.

We’ve previously discussed the phenomenon of phishing, and explained how to quickly improve online security.

From a corporate perspective, asking consumers to wait a few moments is worth the reduced likelihood of fraud occurring.

Bank cards provided one of the earliest examples of 2FA in action, with a PIN code being required to complete purchases or withdraw cash even after a card was presented.

Is 2FA avoidable?

Some sites allow you to deactivate 2FA, though it’s increasingly unavoidable.

Yahoo allows you to deactivate the Account Key used to conduct verification, but desktop users have to open their phone and confirm their sign-in attempt – using 2FA.

When your correspondent attempted this while researching this article, the required notification didn’t arrive. It had to be manually summoned by opening the mobile app.

Unreliability is one of several reasons why 2FA is often seen as a hindrance. Convenience is another.

If the authentication token is sent to a smartphone, that device might not be to hand, or charged, or receiving a strong signal.

Email confirmations may not arrive before the inevitable time limit expires. Alternatively, the message could be deposited in a spam folder, or get blocked before it arrives.

Getting stuck in a scenario where you can’t complete an action is likely to lead to site abandonment, negative brand sentiments and a disproportionate amount of frustration.

It’s testament to modern expectations of immediate gratification that even a momentary delay could provoke genuine ire.

Is all this really necessary?

The simple answer is yes – for now.

User perceptions of 2FA are softening, with a biennial study of British and American adults confirming almost 80 per cent of people used it in 2021, compared to just 27 per cent in 2017.

SMS text messages and email are the most commonly used vectors of secondary authentication requests.

Growing adoption of biometrics (used by 42 per cent of survey respondents in the last year) represents a simpler long-term solution.

Once it’s possible to confirm your identity biometrically during a transaction or activity, it shouldn’t be necessary to provide further authentication at any stage.

It’s hard to see how anyone could commandeer your eyeballs or fingerprints to impersonate your identity other than through coercion, and 2FA wouldn’t prevent that, either.

However, until every web-enabled interface offers dependable biometric data harvesting, we’re likely to see 2FA retained as a blunt instrument of personal safety.