Today, Vice published a story detailing the abysmal security practices of Amazon's Ring brand of smart home security and surveillance products after a spate of compromised passwords (which have been inaccurately described as "hacked," even by The New York Times, who should know much better) led to terrifying privacy breaches for consumers across the US.
Compromised passwords are an extremely common source of account breaches, whether as part of account dumps on the dark web or through simple social engineering. Passwords are, for all of their virtues, very bad as security measures. In a world full of bad actors looking to compromise your personal privacy for the sake of spying on you or taking advantage of you financially, your password should be one of several lines of defense protecting you. But for the vast majority of consumers, it's the only one. And that's a huge problem.
There is a simple, established solution that could mitigate the overwhelming share of compromised login credentials, and if you read a website like Android Police, you're probably well aware of that solution. Two-factor authentication has been around for years, but is only just now starting to enter the mainstream establishment of secure online login systems, despite being supported as an option on a huge number of services.
It's time for two-factor authentication to stop being optional. Two-factor authentication should be mandatory for any online credentials processed through a secure (HTTPS/SSL) protocol, full stop.
Do we need a law stating as much? It kind of looks like, based on the pathetic response of Amazon to these Ring breaches, that we might. These corporations are so desperate for market share, and so afraid of upsetting consumers during the product setup process (which could lead to, gasp, a return!), that none of them have the courage to say "this is for your own good." It's time for that attitude to end, whether by force of an industry standard, or by codification in legislation.
Two-factor authentication is not perfect, and 2FA of the SMS variety has been particularly maligned. But you should still use it if it's your only option, because it's still orders of magnitude more secure than a password alone. The argument around SMS 2FA has been one of the key stumbling points, in my view, in preventing a unified front around pushing 2FA as a need-to-have feature for any login flow. The fact is, for all the flaws SMS 2FA has (and there are some serious ones), the overwhelming majority of people don't even know two-factor authentication exists, let alone use it.
If I were to drawn an analogy, SMS two-factor authentication is like putting your wallet in your front pocket when you're visiting a city known for pickpocketing. Is it a fool-proof strategy? No (and trust me, I've heard of people still getting pickpocketed from a front pocket). Should you use a jacket pocket or, better yet, an under-shirt money belt? Probably, but they're a bit more of a hassle to get in the first place, and the front pocket method is good enough for most people because it still greatly reduces your vulnerability compared to the back pocket.
If almost everyone on earth used two-factor authentication, SMS 2FA would probably be something you genuinely shouldn't use. I understand the argument is being had in good faith, in the interest of safety and security, but right now, so many of us are so desperately vulnerable to being compromised online that the argument is basically moot. Any two-factor authentication system would be a massive improvement for a huge swath of people, and greatly reduce the chance they'd be an attractive target to these bad actors.
For the security-minded among us, we already know that app-based 2FA is more secure, and physical security keys yet more secure than that. And that's fine: we can use those things. But the bar for the average person needs to be set a bit lower, at least for now, because right now there isn't a bar at all. You know exactly who I'm talking about: your parents, your grandparents, your coworkers, and maybe even your spouse; the people in your lives who use blatantly insecure login credentials because they can't be bothered to use a password manager, let alone come up with a password that isn't easily guessed. These are the people we need to be looking out for, not the privacy-aware like us. And these people need more protection from those who would seek to do them and their families harm.
Two-factor authentication shouldn't be an option. It should be the bare minimum. It's time for companies like Amazon, Google, and Facebook to step up: having single-step login as an option should be just as embarrassing as that big, red strikethrough you get in Chrome when a site doesn't use HTTPS.