MFA on a smartphone

Multi-factor authentication (MFA; aka Two-factor authentication aka 2FA) makes access to things more secure. However, how to do it from the same smartphone seems to be an afterthought.

First, if someone has the smartphone which is used to generate the code, receive the text, answers the phone call, or confirms the access, then is MFA really doing its job? The whole point is to know the password and have the alternative device. In the case of accessing an app or website from the smartphone, then it eliminates the alternative device. It seems implementers don’t consider this scenario. But, also, it seems somewhat more complex to detect which device is the MFA one.

Second, more and more apps or websites appear to want to either clear the screen or go back to the login when you navigate away from them. So one can never accomplish the MFA process on the same device used to login. Which, is good in the sense that it closes the security loophole of the first issue. But, in a way that is infuriating when I want to access something away from my desktop computer.

Also, somewhat unrelated, but texts and phone calls can be intercepted. There are plenty of stories about phone companies firing employees over having given unscrupulous people the SIM card information allowing a hacker to clone it and receive each. This issue has been around two decades. So I don’t understand why this loophole still exists.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.