2 min read
Two-Factor Authentication Is a Mess
Published on:
I wanted to enable 2FA everywhere. Looks like this is not that easy, because things are missing here and there.
Introduction
Recently I went through my existing accounts on the internet, because I wanted to change few things on them. The few easy things I wanted to do were: changing passwords and emails plus turning on 2FA everywhere where it is possible. Password changing is seamless everywhere, straight input and enter to change your password. Emails aren’t that perfect, but okay. 2FA is a mess.
I thought these things are going to be painless. “The web has been here for a while, surely these are basic features” I thought. Guess I wasn’t correct.
2FA
Two-Factor Authentication (2FA) is weirdly implemented on the web. I wanted to configure time-based one-time password (TOTP) based 2FA. The server gives you a unique secret code, you enter that in an app that starts to generate new short passwords in some interval. Now you can be authenticated by the short passwords.
No Option Like That
I can’t believe that there are platforms where 2FA is not a thing. For example a company with $28.62B net worth (I am talking about you, Spotify) can’t develop this simple thing? People pay for products/services, and they can’t even secure their accounts.
No TOTP Option
I like my TOTP based 2FA, I don’t want any SMS or email related thing. I believe implementing it is not a challenge.
I start to think that TOTP method should be the default of 2FA:
- You don’t need to receive anything (means you don’t need to wait for any 3rd party)
- The secret is on your device only
- No internet is required to figure out the code you have to enter, it is fully offline
Google’s Way
I can toggle of lots of types of 2FA, but I can’t change the default. I try to shift away from Google stuff as much as I can, because I value my privacy (more on that later, in future posts). The default is “Google-notifications”, which is basically Google taking over my phone screen and asking me to tap on “Yes” or “No”. As you could read upper too, I have been emphasizing the importance of TOTP - why can’t I use it here as a default?