Two Factor Authentication (2FA) Isn’t What It Claims To Be

Posted By Debbie on September 20, 2017

2FA. Everybody says use it. Lots of sites will set it up so that if someone tries to log in or do “forgot password” you get a text or some other secondary way to confirm it’s really you.

Someone I know left her husband. He was not being so nice. He was somehow logging into her Facebook, she wasn’t sure how. And doing some uncool things while logged into Facebook as her. So I worked with her on telling Facebook to clear all other logins, take his phone number out, put her new one in (she had to change her number because of him), change her password, use 2FA to text her, etc…

We did the same with Google for her Gmail and Google login. Cleared previous logins, set up 2FA, change password. I was pretty confident we had gotten rid of him.

She texted me the next morning. He was back in everything and had changed the passwords to Facebook and her Google/Gmail so she couldn’t get in. 2FA hadn’t happened for either account. Neither texted her to say someone was trying to log in or change the passwords. Both Facebook and Google let him change her passwords.

How did this happen?

She realised that he had her previous phone, which had been logged in to these apps and systems. You might say OK, that’s obvious. The phone was logged in. He goes into the phone, he gets into her apps and email. But that phone isn’t activated anymore so it wouldn’t use her phone number, especially the phone number she changed days ago because of leaving him. That phone is 2+ years old.

BUT we set up 2FA. 2FA is specifically designed for situations like these. You’ve gone in, changed your password, and cleared logins… should someone with your (old, deactivated) phone be able to get into everything without doing the 2FA?

I spent the next day depressed laying in bad, angry at 2FA and some pretty shitty UX. Sorry to swear but I was mad. How many frightened people is 2FA not helping? How many of those people continue to be hacked, harassed, hurt because these systems aren’t working?

I can’t say hey Facebook stinks, look at what happened, because it happened with her Gmail/Google also. It makes me think something about the way companies are implementing 2FA is heavily flawed. If I change my password, log out of all accounts, etc… 2FA should protect me. And it freaking doesn’t, does it.

What if someone had my current phone?

Here’s a use case for you. You somehow have my current phone and you somehow know how to unlock it. I have no unlock code or it’s obvious or you know me and you guessed it or your my ex and you saw me type it in 4000 times. You have my phone. Let’s say someone who shouldn’t have my phone has it.

How does 2FA help when my CURRENT phone is in the wrong hands? If you text me a code, the jerk with my phone now has that text! He or she has the code! Email me a code, well my phone picks up email.

Desktop vs Mobile

Last week, Facebook decided someone might be trying to log into my account (because I rebooted my router and my IP address showed up as a different neighbourhood around here). It logs me out of desktop Facebook but interestingly I was still logged into the mobile app.

In fact, it wanted me to go into the mobile app to get a 2FA code for desktop. Well sure, my phone is still logged in to the app, here’s your code. And if that phone were in the wrong hands… there’s the code!

In reality, if you are going to log me out of desktop Facebook because you think I’m being hacked or compromised, then you log me out of mobile web Facebook and you log me out of mobile app Facebook. Period. Otherwise, you have not saved or helped me AND you may have made it really easy for the wrong person to breeze through the two-step authentication.

What is the only thing that would have worked in this case?

I think the only thing that would have worked would have been to remote wipe her old phone, the one the ex somehow got. In reality, he didn’t know her passwords. But since he had a phone that was logged into these apps, the apps gave him the power to change settings, undo 2FA, change the password, etc… If we had remote wiped the phone, he would have been locked out from harassing her by logging into stuff as her.

Moral of this story: 2FA isn’t what you think it is. And the best safeguard for when your phone is compromised is to enable remote wipe. Even an old phone that you think won’t get someone very far because you’ve changed passwords and set up security safeguards.

Google how to do that for your particular phone. Set that up. You might need it someday if the phone falls into the wrong hands.