<- back

2FA sucks


2FA sucks. But security is a bit of a paradox. One the one hand, you want to make sure only you have access to your accounts. But on the other, people tend to forget things and accidents happen, so sometimes you may lose access to an account and you want to recover it. Ideally, an account could be tied to your actual person (via biometrics or something like that). But then, you also don't want every company to have your data.

One thing I have experienced a few too many times, is losing my phone or my phone breaking, and losing access to my authenticator apps. In most cases, I was able to recover access to my accounts using SMS verification or recovery codes. But I still have a Blizzard account that I have been unable to access for years.

While 2FA over SMS has saved me numerous times, it's not secure and every recommends to disable it and only use authenticator apps (or keys, which we'll get to in a moment). I believe this is because it's relatively easy to redirect a mobile phone number. I would love to completely move away from SMS verification, but there is no good alternative for recovery.

Something I had been looking for was an authenticator app that syncs over the cloud so I don't lose access to my codes. I use Dashlane Authenticator and it does this. But this also makes me wonder what the whole point of 2FA is, in this case. If someone hacks my account, do they have access to my passwords and my 2FA codes?

I've also been reading a bit about security keys lately. I like the idea because you don't have to mess with codes and you don't have to use biometrics. But carrying a USB everywhere sounds kinda stupid. And I would need one that supports USB-A, USB-C, and lightning. And I am not even sure how many apps/websites actually support keys? The first time I ever saw an option for it was on GitHub a few weeks ago.

I'm not quite sure what I will continue to use into the future, but 2FA is the bare minimum for security, so I am trying to activate it everywhere.