Two-Factor Authentication (or 2FA) has been a hot topic of discussion for a while. At USyd in particular, our own authenticator app, Okta Verify, grows increasingly painful with every required code. The idea of 2FA is credible enough. After all, it is used to secure personal online information. It works alongside passwords as a second layer of protection, often through apps or text messages. There’s a catch, though — a contradiction embedded within the entire framework of 2FA. Why am I having to authenticate my authenticity to inauthentic, technological authenticators? It is deeply ironic.
Technology’s initial purpose was to improve human life. It was designed to easily access and exchange ideas, information, culture, and art. Humans didn’t create technology and develop it to cause chaos, but rather to do the opposite. By digitising the world, the thought was always to simplify humanity and make life easier. I would argue, however, that 2FA is doing the opposite, making life harder instead.
2FA’s purpose is quite simple: in a world where passwords are less secure, and online impersonation is on the rise, there is a need for a second form of identity confirmation. Rather than relying solely on a password that could be hacked, or identity questions that could be forged or forgotten, 2FA was the solution sought to surpass these problems.
However, we all know that 2FA has caused more chaos than calm. Not only is it confusing for older generations, but it is restricting and counterintuitive for the younger ones as well. 2FA is required for everything nowadays — from accessing bank accounts, to university libraries, to even the Baker’s Delight App log-in. Like many grandchildren, I often get tasked with helping to access iCloud accounts and syncing photos onto the Drive. I see, firsthand, the frustration at log-in, where some online forum demands a code, an app, a tap, or a phone call. This idea of ‘security’ is just an obstacle demanding patience. 2FA doesn’t provide security but rather friction. It is used simply because it is cheap and easy. Companies don’t want to invest time or energy to help their consumers. It all boils down, like everything, to capitalism. If companies can avoid security breaches and ensure money is invested for profit and gain, rather than convenience, they are happy. Companies, especially larger corporations, do not care about consumer satisfaction, and universities are the same. If USyd can protect its student privacy and save money doing it, that is all that truly matters. It is their calm within students’ own chaos. There is no idea here on how best to serve students or consumers. There is no possibility of looking towards different ways to protect. It’s all under the same guise. 2FA is the ‘only’ way.
The inherent contradiction within 2FA lies in its whole premise. There is a reliance on technology to authenticate authenticity. With the uprising of Artificial Intelligence (AI) and the fears around humanity’s future, requiring technology to prove identity seems to be taking another leap forward towards complete digitalisation. Moving away from individualism and towards a digitalisation that is putting authenticity at real risk.
2FA is also increasingly exploited by what the media calls ‘fatigue attacks’, where citizens get continually bombarded with verification requests while hackers try to access their private accounts and information. After multiple push notifications, the hope is that the user ultimately succumbs to one of them, verifying the request and enabling the hacker access. This isn’t the user’s fault, though it represents the adaptation to a system meant to protect the user. Technology isn’t improving anyone’s life here, it is creating chaos.
Is there, and will there, ever be a way to make 2FA both useful and usable? I am not sure. 2FA needs to completely rebrand and reimagine itself away from the necessary need for technological requirements. Codes, taps, and apps, are not the way to provide security.
As technology further develops and moves into an era of online living, there needs to be a different way to authenticate yourself.
There have been ideas thrown around as suitable alternatives, many of which are used in today’s era. Ideas like facial recognition, fingerprint identity confirmation, and passkeys. None of which are as used as 2FA. Reasons for this include, as said before, money and care. These ideas require more effort and more economic backing. To ensure everyone has access to devices that recognise faces and fingerprints is idealistic, and lacks recognition of upper-class privilege. The most credible solution would be passkeys, which the iCloud system does in some sense, and in some areas employ but not consistently and often in order to access the passkey system you have to authenticate yourself via 2FA. Once again, contradicting the very aim of the passkey system itself.
So, as I struggle to find a solution that moves away from 2FA, there is the main point embedded within it — 2FA is ironic, contradictory, and unusable for large proportions of the population. New solutions need to be created in order to protect and enable digital users.
