Another part of the problem is trying to take the human factor out security. In this image from Homeland Security, for example, turning an in-person security check into a remote security check.

I’ve become a one-note-Cassandra about identity authentication, especially insecurity questions and their subset, out-of-wallet questions. I even tried to create an insecurity-questions tag on StackOverflow, adding the tag to several related questions in the hope of getting some outside-the-box thinking done. It failed, probably justifiably so—I’ve been on StackExchange for several years now, but really don’t understand how the system works.

Often, when this topic comes up, someone in the comments—or even the blog author—suggests two-factor authentication as the answer—even in this article at KrebsOnSecurity detailing the dangers of phone authentication. I have never done so. For one, it doesn’t even make sense. Taken literally, it’s a non-sequitur. Two-factor authentication means that the person needs to know both their password and have some other identifying factor, and insecurity questions are technically meant for when someone does not know their password.

The suggestion makes more sense, however, when you realize that the real problem is trust, and that 2FA inevitably devolves to ½FA at the drop of an appropriate sob story.

In many ways, despite the claims of incredible divides today, we trust far too much. Banks still hand out checks, meant to be given to third parties, that contain all of the information needed to drain checking accounts. Every time we write a check, we are implicitly trusting that the person we give the check to, as well as everyone in the chain of handling the check, on down to the people who trash it or shred it, can be trusted with full access to our money. And don’t think you’re above the problem because you don’t write checks; the information that matters is the information you give to every system that offers to put money into your checking account. The same information that puts money into your account can take money out of your account.

When you enter that information into PayPal, or Amazon, or whatever other service gives you money, you’re adding not just everyone in the chain of handling the information, as with a check, but also everyone who programmed their database systems.¹

We trust that only the account owner will attempt to bypass not knowing the password to their account, despite mountains of evidence otherwise.

We trust that fingerprints aren’t 3-D printed, that eyeballs aren’t photographs from the Internet.

We trust the return addresses on the letters we receive. We trust that if we get an email from an email address, it was sent by the owner of that address. And we trust that if we get a phone call from a phone number, it is coming from that phone number. We trust that if we get a request for proof of identity after sending a verification code, that it’s a valid request.

This is why social engineering attacks are so often successful. And the problem with 2FA is that it pretty much always devolves to the two things being (a) the password and (b) your cell phone; so when someone calls a service using “your” cell phone and says they’ve forgotten their password, this only reinforces that “you” should be trusted.

Even though cell phones themselves are hardly secure, and phone numbers are even less secure. Phone numbers are so insecure that some companies make legitimate businesses out of hacking them. Google Voice, for example. If you have a Google Voice number, and someone calls you using that number, they’re not calling you. They’re calling Google. Google passes it on to you, from a Google call center. But you still see the original caller’s number on your phone, because Google is pretending to be that number. This is not some special trick that Google invented. It’s how the phone system works.

This goes way further than just someone pretending to be your phone while talking to your service provider. The hacker can also pretend to be your service provider’s phone while talking to you. Two-factor authentication trains us to trust incoming messages, something that in the email domain we are warned against all the time, for the simple reason that email addresses are easily faked. But so are phone numbers.

This is not easily solvable, because pretty much any multi-factor authentication we can think of will handle the multiple factors on the portable computers that we carry with us at all times—that is, our cell phones.

The promise of two-factor authentication was that it would improve security by requiring two factors for accessing services: a thing that we know (a password) and a thing that we have (a phone²). But if it’s going to devolve, as it seems it will, into a thing that we know or a thing that we have, and that thing we have is easily stolen or easily faked, 2FA isn’t an improvement. It becomes part of the problem.

More and more, I think that in our current environment a good password is still the best of several bad answers. At least with a password, I am in control of what the authentication is.

I think one of the biggest problems, if not the biggest problem, with how we look at security today is that we blame it on the end user. So often, our understanding of social engineering is that it’s the user’s fault. But social engineering works best when applied against the service. The service, after all, does not know who you are, and so is open to being fooled.

The top-rated answer on this StackExchange question gets so many things wrong it’s hard to start.³ The more complicated a system is, the easier it becomes for attackers. Why? Because the people using the system and the people managing the system are more likely to make a mistake. The more mistakes, the more potential attack vectors for attackers to bypass or break security. Further, complicated systems train the service’s support employees—who are already probably trained to make the caller happy—to accept that the system will need to be bypassed regularly. This helps those attackers who use social engineering rather than or in addition to programming to break in.

Multi-factor authentication seems to me to be part of a trend toward more complicated. If it were truly a “you need your password and you need your phone”, it could improve security (at the expense of a whole lot of people locked out of their accounts). But there seems no way to ensure that 2FA/MFA doesn’t end up becoming “you need one or the other”. Despite the good intentions of those who created it, its effect is to make good security harder for the end-user to maintain and easier for the attacker to bypass.