I use two-factor authentication (2FA) everywhere I can. In response to entering a username and password (something you know, you are queried for something you have as well. There are many ways to do this:


Most systems send an SMS to you with a four-to-six digit code. This has recently been deemed problematic, as a black hat can social engineer his way into getting your cell provider to reassign your number reassigned to his phone. Even if you aren't compromised, it seems risky to get a 2FA SMS on your phone from PayPal when you're attempting to access your PP account on your phone!
RSA key FOBs (as above, but it generates a code unique to your account information.
Special apps, like Google's Authenticator or Okta Verify. Yahoo's common mobile apps seem to now have a built-in module which serves the same purpose.


Where I can, I'm moving away from SMS verification to the others, which certainly appear to be safer. Today though, I read in the NY Times (https://www.nytimes.com/2017/10/25/technology/personaltech/google-keys-advanced-protection-program.html) about a new physical key system from Google which uses FIDO, a standard protocol for such things. This is apparently meant for people who are at heightened risk of digital intrusion. How is this any better than other physical keys or special authentication apps?

Not sure, but I just read an article the other day about another approach that asks users to take a photograph of a personal item, as a form of authentication. Kind of an interesting idea, I think it had pretty good results.

Article here. (https://arxiv.org/pdf/1710.07727.pdf)

Pretty much, I think we're moving to a world where nothing is truly secure. So, expect to have your data breached. The best 2FA system is worthless if the vendor itself gets compromised.

IF the Vendor gets compromised and the attacker can capture enough to break the 2FA then there is no way that system was "the best".

If it's properly implemented the attackers can steal the databases and not be able to decode them in their lifetimes.

A lot of these high profile attacks/breaches have to do with applications that are built vastly below that standard of security.

Everyone should be using these, even if they are imperfect they are far better than a single factor system.

The real problem is our data is getting spread out so much and is getting collected by so many without even asking permission, it's inevitable someone is being irresponsible with the data. (e.x. Equifax)

IF the Vendor gets compromised and the attacker can capture enough to break the 2FA then there is no way that system was "the best".

If it's properly implemented the attackers can steal the databases and not be able to decode them in their lifetimes.

A lot of these high profile attacks/breaches have to do with applications that are built vastly below that standard of security.

Everyone should be using these, even if they are imperfect they are far better than a single factor system.

The real problem is our data is getting spread out so much and is getting collected by so many without even asking permission, it's inevitable someone is being irresponsible with the data. (e.x. Equifax)

Agreed. I re-read my post it sounded like I was being dismissive of 2FA. Not the case. It is better than single factor, but is not a panacea. As the OP noted, social engineering to get phone numbers changed is a risk. And, the rate and scope of recent data breaches make it obvious that most organizations are not using the latest and greatest security measures to protect the data they do have.

Although I'm not the biggest fan of trial lawyers, I think it might make sense to have some sort of legal standard for duty of care with a person's data, the same way that doctors do with a patient's care. I'm not sure what else is going to solve this culture of lax security.

My work gives us a little NFC/USB/BLE keyfob that is our 2fa. I'm working on a system to use its NFC code to have electronic locks at home. Small, lightweight, impossible to hack (though possible to pickpocket).

I tried 2FA some time ago with Gmail using Google Authenticator. It worked for a while then it frustratingly wouldn't take the generated code. Big failing in my opinion and I removed 2FA from Gmail.