Leave it to grubby, disgusting, greedy companies to use something to fuck people over more. Anyone who uses mobile or desktop information appliances to visit various web sites to conduct business will notice that there has been a pretty major sea change over the past few years. Companies are stepping up two-factor authentication (2FA). When you log in to your bank they will send you a “one time pass code” (OTP) to a mobile phone number.
This is “two factor” because, in addition to the username and password that you’re using to log on to your bank, you now have a second “factor” – the one-time password.
Certainly two-factor authentication increases security and increased security – meaning less crime, etc. – is good. However there is also a dark side of it.
Here is an example. I used to be able to log on to my mobile provider’s site to not just view and pay bills, but to actually manage my devices and plans. I could actually switch the mobile device associated with a mobile number, and change features of plans. How convenient!
But then the company required 2FA to be able to log on. OK you think, that’s a good thing. It helps protect your account from unauthorized login. Yes, except their 2FA sends the OTP to your mobile phone. Nothing wrong with that, you think. How convenient! The code comes straight to your phone.
But what if your phone was lost or damaged? What if you can’t access your phone to be able to complete the 2FA process? You’re fucked.
And the mobile company knows you’re fucked. And the only way you can get anything done to your service now – such as switch to a new phone – is to go into a store and pay a minimum $25 service fee.
This whole process breaks down because the company is requiring 2FA ostensibly for security, but only allows the OTP to be sent through their own, on-device app.
Essentially banks and many other sites are doing the same thing by forcing the OTP to be sent out only to the user’s mobile device. They don’t allow the OTP to be sent out to any other authenticator of the user’s choosing. And there should be a law that every company that forces 2FA or even provides it as an option must allow it to work with any 3rd-part authenticator of the user’s choosing.
As one example, there’s an excellent, open-source 2FA app called Aegis that is capable of providing OTPs for as many sites as you register with it. Yet of all the sites that I’ve used over the last several years that either recommend and provide 2FA or require 2FA, only a tiny handful actually work with 3rd party 2FA auth apps like Aegis.
As a consumer you have a basic right to access your account. When you conduct business with a company online, among various other rights that you have that pertain to online activities, one of the rights must be the right to authenticate in the manner of your own choosing. Otherwise companies are free to exploit this resulting in either inconvenience at the least or being ripped off at the worst.
Just as their are laws that pertain to accessing a physical facility of a business, there should be a law regarding accessing virtual facilities, requiring that they actually be accessible and open.
I know most politicians are too retarded to even understand why this should be a basic right, and most are bribed by the same companies they’re supposed to regulate, but I wanted to write about it anyhow because it should be.
Leave a Reply
You must be logged in to post a comment.