I’ve been using Google’s 2 factor authentication for awhile now, it’s simple to use and seems effective (and is probalby the most commonly used 2F on earth.) But how many factors is it, really?
But perhaps I could try to distill this even a bit more, and go radical… is the 2nd factor really necessary or just a productivity hit/distraction?
Once per month or so it dutifully asks me to type in a password… but most of the time it’s really sort of a zero factor auth device, assuming you’re sitting at the keyboard.
But the 2 factor is really a bit oddly named… because really it’s something like a 1+2 factor, because I have a mobile device (my wife finally got tired of me having no phone and bought me one, ack!) and a password, but I really only use the 2F when I’m on a laptop (or workstation at home), almost never on my phone, so it’s password+phone+device.
But it’s not even 1+2, because 98% of the time I only have to login to my laptop (splash screen) and I’m in – once it fires up I can go to all the sites and places I frequent, including the ones with the keys to the infrastructure (e.g. the google console for their GCE environ), etc.
To get onto the laptop you can either type a password or hit the (rather charming, I’ll admit) little tactile LCD strip on the new macbooks that claim to save your fingerprint (cue the gummy bear army to attack!)
So really I claim that most of the time I only use a single password or a faux-fingerprint, but the security locus really is around my computers; if you can compromise them the other two factors, the ones people generally call my 2 factors, don’t even come into play. If there’s a vulnerability that allows code execution on one of my boxes, you’re in.
You can surely say (and stop calling me…) that I’m misusing 2F, but I suspect that this is how most use it today in the unwashed vernacular masses.
A long winded way of saying your “what you know” in at least Google’s two factor is pretty worthless most of the time. It only seems to come into play when –
– your time is up (every 30 days or whatever)
– your Google seed/key/whatever has been compromised (that’s when it really
would matter… and I really haven’t read too much about how easy/difficult
that is… I’d presume if you clone a phone/copy its disk you’d have it,
but perhaps it’s trickier than that, using the device ID or something?
Even the “what you have” doesn’t normally come into play, 99% of the time it’s actually dependent the device I generally use to do work which has pretty much nothing to do with the 2F.
Anyway. Slow Friday. Need more caffeine, amphetamines…