I have yet to start using any smartphone two-factor authentication

October 12, 2016

Now that I have a smartphone, in theory I could start using two-factor authentication to improve my security. In practice I have yet to set up my phone for this for anything (although I did download an app for it). There turn out to be several reasons for this.

First, the whole area is fairly confusing and partly populated by people that I don't really trust (hi, Google). Perhaps I am looking in the wrong places, but when I went looking at least the first time around there was a paucity of documentation on what is actually going on in the whole process, how it worked, what to expect, and so on. What I could find was mostly glossy copy and 'then some magic happens'. I'm a sysadmin; I don't like magic.

(The confusing clutter of apps didn't help things either, although I suspect that people who know what they're doing here have an easier time cutting through the marketing copy everyone has.)

Then, well, it's early days with my smartphone and I'm nervous about really committing to it for something as crucial as authentication. Pretty much everything I've read on 2FA contains scary warnings about what happens if your phone evaporates; at the least it's a big hassle. Switching on 2FA this early feels alarmingly like jumping into the deep end. Certainly it doesn't seem like something to do casually or simply as an experiment.

(Probably there's a good way to play around with 2FA to just try it out, but I have no idea what it would be. Scratch accounts on various services? Right now I'd have to commit to 2FA on something just to find out how the apps look and work. I suspect that other people have a background clutter of less important accounts that they can use to experiment with stuff like this.)

Finally is the big, blunt issue for me: I just don't have very many accounts out there (especially on websites) that I both feel strongly about and that I'm willing to make harder to use by adding 2FA authentication. Most of my accounts are casual things, even on big-ticket sites like Facebook, and on potentially somewhat more important sites like Github I'm not very enthused about throwing roadblocks in the way of, say, pushing commits up to my public repos.

(Part of this is that I'm usually not logged in to places. And obviously things would be quite different if I worked with any important Github repos.)

All of this feels vaguely embarrassing, since after all I'm supposed to care about security and I now have this marvelous possibility for completely free two-factor authentication, yet I'm not taking advantage of it. But I've already established that I have limits on how much I care about security.

Written on 12 October 2016.
« How and why the new iptables -w option is such a terrible fumble
How I've set up SSH keys on my Yubikey 4 (so far) »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Oct 12 02:25:04 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.