This is going to be a controversial opinion. I’ve written a lot about website security on NameHero, and best practices for both shared and VPS hosting. So you might think that one of the first things I do is to enable two-factor authentication or 2FA wherever I can. NameHero itself offers the ability to enable 2FA – here’s a tutorial on getting 2FA to work. However, even though I’ve been tempted by the idea of 2FA and have explored many different ways to get it to work, I’ve never fully bought into the idea. Something has always held me back. I do use 2FA in a sort of modified form with my password manager, but it doesn’t go all the way.
2FA Always Assumes Best Circumstances
My nightmare scenario with 2FA is the following. I’m traveling abroad and I get robbed. I lose my phone, and my wallet. I desperately need to log in to important accounts like my bank, my e-mail, etc. But because I’ve lost everything, I no longer have my second 2FA device with me! I’ve lost the backup codes they give you in case of emergencies. I’m stuck. Badly.
Of course, there are many other secondary scenarios, which while not quite as bad, can be pretty inconvenient. I lose my other form of 2FA, and it takes weeks to re-enable access to my account. Apple is notorious for this. And in some situations, you simply lose your entire account, including all the stuff you purchased with them.
The problem with 2FA is that it doesn’t prepare you for the worst. It assumes you’re comfortably ensconced in your daily environment, with your systems set up alongside you with ready access to your backup codes and a secure Internet connection. And while this is true most of the time, if the worst scenario ever does come to pass, the consequences can be potentially ruinous.
Consequences for a Website
For a website, the outcome can be dire. Luckily, you can disable 2FA while logged in via SSH if you’ve already set it up. But if you haven’t gotten around to it yet, the situation can get very messy. You have to hope that your hosting provider will be able to intercede in some manner. It’s a scary situation!
SMS is Unreliable and Insecure
To make matters worse, the most common form of 2FA is still SMS. Let’s leave aside the fact that you might lose access to your phone, and hence won’t be able to receive the code. The problem is that SMS itself is unencrypted! That means it’s available for anyone who can access the line to intercept the authentication code. No less a website than Reddit was once hacked because they relied on 2FA via SMS. If it can happen to them, it can happen to you.
A Strong Password is Your Best Defense
I’m a big fan of creating high entropy passwords in conjunction with a password manager. These are impossible to crack, and if the password manager automatically fills your password into web forms, there’s no danger if you accidentally fall for a phishing attack because the password manager will detect the fake domain name.
Ultimately, the only thing you have with you at all times is your mind. And your password is stored inside. Some can rob you and strip you of all your belongings, but as long as your mind is functional, you will always be able to access important stuff. 2FA brings another layer of security that relies on something you have instead of something you know. The problem is that something you have can always be taken away from you.
And that scares me.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!