2FA freaks me out. It means I'll be locked out of all my key accounts and services if ever my phone breaks or gets lost. Probably right when I need these services most.
I appreciate the security of 2FA, but I don't like the liability and and I don't like being required to have my phone at all times. Jus one of my gripes with the world
I think 2FA is generally bad practice and quite sad it is ubiquitous in e.g. banking and people try to shove it everywhere. It is analogous to password rules, 8-14 characters, numbers, capital letters and other signs. Yet it is very rare you can use a 40+ character passphrase. It gives a false sense of added security, while being annoying at the same time imo. It is very common, for me at least, not to have access to my phone all the time, because I left it at home, in the car etc. Not to mention if you lose it (or someone steals it) you have a huge pita to deal with.
If you have 2FA and lose all your 2FA methods, and didn’t preplan by making a recovery key and storing it in a safe place you can find again… you can be screwed. It’s not a blacklist, but the net result is the same.
I’m terrified of losing access to all my stuff because of forced 2FA I never signed up for. I get that it’s more secure, but it can be secure to the point of having unrecoverable data. All it would take is someone carelessly deciding to get a new phone number. I have a friend who recently talked about wanting to get a new number with his new phone. I asked about 2FA and he seemed to have no knowledge of it and said he didn’t have anything like that. He kept his number, but if he didn’t, I could see him easily getting locked out of his Apple account (which he has), and his bank.
The worst for me is how the 2FA requires me to use my personal phone. That phone is filled to the brim with notifications from apps and games that were designed to be addictive. I avoid logging into anything because I know it will ruin my day.
Before the era of mandatory 2FA the first thing I did when I arrived at the office was turn off my phone and lock it away.
Thank you. As a user only, 2FA at works sucks. I get locked out multiple times a day, I have to constantly have my phone on me, and I have had a few days where I can't get in for funky reasons, and now the service provider is forbidden from helping me. I get it might be more secure (I still hear about security breaches every couple months), but it is a horrible experience. I use 2fa personally, but in the b2b space there is seemingly no consideration for the user.
2FA is a step backwards, at least in the way most services implement it where you totally depend on a phone (I know there are other ways to do 2FA).
I know that passwords are insecure (or at least, most people's passwords are) but I'd rather have that than tying all my identity to a phone.
Since I started using the internet in the 90s I haven't ever had any password-related incident that I know of. Now I have a constant fear of my phone being lost or stolen. I do have an export of the authenticator files, but what if it fails, or if the phone thief starts doing bad stuff since some services are going so crazy with 2FA that they relax the rest of their security? (I have seen Yahoo mail sometimes not asking for password at all, just some SMS code).
I only use 2FA where it's mandatory (unfortunately, more and more services) and I wish it were forbidden to make it mandatory, at least in this form where you totally depend on a phone.
It always struck me that 2FA is a corporate suicide pact. Some percentage of users are going to lose their keys per year so your user base is going to decay like a radioactive element.
I used to be quite annoyed with 2FA (although I understood the value)... and was particularly annoyed when one of my banks made 2FA mandatory.
Begrudgingly shlupping myself to the other room to locate my phone and get a texted code...
But, after receiving 3 different password reset emails in a short period for different services, I decided to enable 2FA for everything that supports it. Where possible, choosing the Time Based 2FA instead of texting codes (just in case I lose my phone or something).
With the right mindset (and paranoia), I'm coming around to viewing this inconvenience as necessary, and wish more services supported it.
2FA has screwed me over in multiple instances over the years across different services.
Realizing one weekend away that I forgot to do a quiz for a uni course, trying to login to the course website on my phone and then remembering my hardware key is at home in my laptop.
Being forced to add a phone number to secure accounts I could not give less of a shit about but have to use for one reason or another, coming back months later to login, and realizing it's an old number and I'm locked out.
Emailing support in those cases and them just removing the phone number or changing it without any additional proof making the 2FA utterly useless.
Or emailing support and them asking me to send some drivers license or ID, then politely telling them to just delete my account because they never had that much info about me anyway.
2FA is a scourge. Just let me worry about my own security, if I care about your service, I won't make my password "asdfghjkl". In 99% of cases, that is fine and I have never had an issue.
It drives me nuts that 2FA is being expected by companies, and yet they're not providing employees with a phone. If you do want me to use 2FA, provide me with a device I can do it from. I do not use my personal devices for work.
reply