Press "Enter" to skip to content

The Tyranny of Two-Factor Authentication: A Semi-Satirical Screed

Editor’s note: All opinion pieces published in the Clerk represent only the views and ideas of the author. 

In an effort to distract myself from the pandemic ravaging the world’s population, I want to take a moment to rant about the shoddy design of the two-factor authentication program the powers that be at Haverford foisted upon students, faculty, and staff the fall before last. In theory, two-factor authentication (which I will hereafter refer to as 2FA to save both typing time and page space) ensures the security of your accounts by requiring you to confirm your identity in addition to entering your usual username and password. Like communism, it sounds great on paper, but like communism (at least according to the historical record), it fails spectacularly in practice*. Not only is it a massive waste of time (I shudder to think how many minutes of my life I’ve wasted logging into my phone, pulling up the Duo app, and tapping on the little checkmark icon that pops up), but it fails to plan for the loss, theft, or destruction of your phone, the latter of which was what inspired this diatribe in the first place. 

Three Saturdays ago, I was taking advantage of the spring weather by kayaking with my dad and brothers off the local beach when my puppy, a nine-and-a-half-week-old border collie named George after a character in the Thomas Hardy novel “Far From the Madding Crowd,” took it upon himself to spring out of the cockpit into the water below. Being young, he couldn’t swim very well, and his head went under twice before I hurled myself after him in a heroic effort to prevent him from drowning. My phone, which had been tucked into the pocket of my life jacket, sadly did not survive the plunge. Though drastic measures were taken—immersing it overnight in rice, zipping it into a Ziplock bag with only an ounce of tap water and a teaspoon of baking soda for company, soaking it in 99% isopropyl alcohol (owing to the closure of all Apple stores in the continental U.S., I could not take it to the experts)—it never turned back on. 

Still mourning the loss of my phone, which had served me faithfully for three and a half years, I tried to log into Moodle the next day to write a post for my English class, only to be confronted by the notorious triad of authentication options: “Send Me a Push,” “Call Me,” and “Enter a Passcode.” 

Oh, no, I thought, recalling, dimly, that I had forgotten to hit “Remember Me for Seven Days” the last time I logged in. 

I emailed the IITS ProDesk, and a very accommodating woman named Lauren told me that Haverford policy prohibited her from waiving the 2FA requirement because it would create a “hole in security” that could affect the entire community. What she could do, she said, was create a temporary bypass code for me to use until I bought a new phone; all I would need to do was call in to retrieve it. After enduring five or so minutes of elevator music, I was relayed a lengthy string of numbers and sent on my proverbial way. A more-or-less quick fix, but not a great one. 

At the heart of 2FA systems such as Duo is the double whammy (no pun intended) of classism and poor planning. As many before me have pointed out, you are more likely to misplace your phone in your house, leave it at the doctor’s office or grocery store, or drop it into the toilet bowl than be hacked by some malicious third party led by a Nigerian prince. Duo’s design, however, does not take any of these eventualities into account. And assuming you are a college student, how on earth are you supposed to check your email, post on Moodle, print out papers, and do any of the other things classes require of you if you can’t afford a smartphone (or any phone at all) to misplace, leave behind, or drop? (You are, I suppose, to be sacrificed on the altar of account security—or, from another perspective, administrative paranoia). But the point I’m getting at is this: for the non-tech-savvy, socioeconomically disadvantaged, or simply unlucky among us, 2FA is a headache of Minerva-being-born-from-Zeus’s-skull-epic proportions. 

More than that, it has a catch-22 baked into its basic design. When I tried to register another device following my failed login attempt, I was informed that this action, too, required authentication from a secondary source—a stipulation that is maddeningly oblivious to the fact that if you are attempting to register another another device in the first place, it’s most likely because the one you normally use is out of commission. Such situations could be easily avoided if the software engineers behind Duo and other 2FA apps instated a set of security questions, of the banal “What street did you grow up on?” or “What was the name of your first pet?” variety, as a fallback means of confirming your identity. In failing to plan for extenuating circumstances (such as, I don’t know, your dog falling overboard) as well as making the obnoxious assumption that everyone not only has a phone but also a relatively sophisticated one, Duo reveals itself to be a privilege-blind and poorly designed piece of technology not worthy for entry into the ivory towers of American academia (or anywhere else). 

*Die-hard Marxists of campus, come at me!

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *