Two-factor authentication: The decisive battleground for analogue rights?
It may be a huge digital coercion driver, but 2FA also gives us immense leverage to push back
We’ve all been there. You’re logging into some website on a computer, passwords at the ready, just minding your own business. And then it comes: the dreaded pop-up. You discover that logging in now requires two-factor authentication (2FA). Your password is no longer enough. The geeks have decreed that a second layer of security is required.
It’s increasingly fashionable for the nerds who dream up these things to also insist that said second security layer take the form a smartphone app. Because in their soulless little world, everybody has a smartphone, right? In their world, everybody wants a smartphone.
Now, a reasonable government, school, employer or other institution will obviously appreciate that you can’t go round forcing people to own smartphones. Not unless you’re planning on footing the bill for them. Even then, the idea would be pretty high on the Orwellian weirdness scale. So we’re good, right?
A random photo of the simple life, taken while cycling in Burgenland, Austria
You already know the answer. Our governments, schools, employers, etc. are not well acquainted with ‘reasonable’. They are falling in love with 2FA because - among other things - it makes them look digitally savvy and forward thinking. And so, we’re being force-fed 2FA, and by extension forced to upgrade and maintain smartphones at our own expense. It’s important to note that this is happening in non-optional areas of life. Here are a couple of examples: educating our kids, banking, voting, tax returns, doing our jobs.
A propos doing one’s job: this is no joke. A teacher in Vienna was actually dismissed last year because she refused to download a 2FA app on a personal, private smartphone. An app that was ‘required’ to log in to a system at work and do her job. Dare to have principles, and it’s goodbye salary. Nothing captures the digital coercion problem better than what happened to that teacher.
The concept of 2FA is actually good
If you’re looking for sweeping, fundamentalist negativity in this piece, you won’t find it. We are balanced folk here at Offline Rights. We stay away from wacko theories or extremism. Which is why I’m happy to say out loud that 2FA is essentially a good thing.
I’ve been hacked and had money stolen online. I know only too well how creepy it is to feel somebody else at work in your computer, in real time. Nobody needs to tell me that another layer of security to keep baddies logged out of your accounts is a good thing. I am all over that. And the notion that a baddie would now have to get hold of my specific device - or at least hack into it as well - is reassuring. I would go so far as to say ‘bring it on’... for those who choose to do things online.
‘Choose’ is the big word here. If the service you’re trying to log into1 shut down the offline options, there’s no choice in the matter. And when that happens, they’re picking a fight with us reasonable people.
There are alternatives to smartphone 2FA
If 2FA per se is nothing to battle against, the current execution of it is contentious at best. If you’re selling flowers, do what you like. But if you’re providing essential or compulsory social services, assuming everyone has (or wants2) a smartphone is not on. Especially when there are other options available.
Some 2FA systems still send you a confirmation email as a form of two-factor authentication. I’m guessing this is regarded as a primitive form of 2FA now, but it has a major benefit our tech bro overlords don’t consider: it doesn’t require smartphone ownership. It only requires an email address, which is free. It’s also reasonable to expect one from anybody presenting themselves for a login on the internet. After all, such people by definition have a connected device - or access to one.
Allowing your users the option to do their 2FA verification in the form of an email would be a neat thing to do if you cared about not forcing them to go out and get a second device. You could still offer the app alternative for those who want it, right?
A more geeky alternative that few people know about is a FIDO token. I’ve tried reading up on how they work, but it’s difficult not to nod off, quite honestly. There is a severe shortage of comprehensible literature about these niche things, and life is too short. All I know is that they are little devices that can connect to your computer via, say, USB or Bluetooth. And they are able to do the 2FA job that the smartphone does, if the service you’re logging into is on board. Feel free to expand on this in the comments if you’re in the know - I don’t claim to have researched this part properly!
Remember when your bank used to send you a special device to verify your online login? That wasn’t so long ago, in an era when smartphones were considered an optional toy. How quickly we have allowed times to change. Anyway, I gather that a FIDO (sounds like a dog’s name...) is a similar concept to such devices; perfect for a world in which your bank has axed such solutions and outsourced the 2FA device costs to you, the client.
At first glance, a FIDO is cheaper than a regular smartphone, and orders of magnitude cheaper than an iPhone. But it’s still a device you have to go out and buy - at least until your government provides a free FIDO to all citizens. If you are a stickler for principles, which I think we need to be, then this is also a no-go.
Also, reading up on how FIDOs work is deeply boring and not for everybody. Being forced to do so makes me nearly as grumpy as compulsory smartphone ownership.
A revolutionary thought
This brings me to the commonsense alternative that served us for millennia: not having to do important stuff online at all. Keeping analogue services alive, in other words. Our raison d’etre here at Offline Rights.
The more absurd hoops we have to jump through to prove our identity in a disembodied, online environment - will we have 3FA in a few years? 4FA? Where does it end? - the less ridiculous filling out a form or lining up at a counter seems to me.
Take banking as an example. 2FA has added to the hassle and expense we have to go to just to log in to our bank accounts. On top of that, we’re now also expected to spot scams, phishes and fakes that look a lot like bank communications. Despite this creep of new inconveniences that weren’t there with early online banking, it is still sold to us as ‘convenient’.
When you went to the branch and spoke to a person, you could be certain none of it was a fake cobbled together by a crafty programmer in Lagos. Nor did you have to provide multiple levels of identification or argue with a machine about which frame of a photo contains a bicycle wheel. It’s the solution we’ve had all along. On close examination, which method of banking is the more absurd?
As long as the offline, analogue methods such as bank branches, physical tax forms and phoning up your doctor for an appointment remain open, so that nobody is forced to go out and buy devices, 2FA doesn’t have to be something to fight about.
Sadly, it would be naive to think that the analogue will remain a thing unless we make a heck of a fuss - ASAP.
2FA: A perfect stage for resistance
What happened to that Austrian teacher is a disgrace. But equally disgraceful was the lack of widespread solidarity from her colleagues. Teaching is one example of a critical sector where mass resistance could be very effective - if anybody bothered to actually do it.
Tell me honestly. If every teacher in Austria came to school on Monday without their private smartphones, then sat on their hands and stared at their bosses all morning because work was suddenly impossible, while the country’s kids ran amok in the hallways, I think we would have a solution by Wednesday.
This is called leverage, I think. And I think ordinary people working in organisations, or even across entire industries, have a great deal of it when it comes to 2FA digital coercion.
Not forcing people to log in to some system with their own devices is an easier thing to solve than giving them a pay rise. It could be as simple as saying that it’s OK to write things down on paper again. School resumes, crisis over.
Teachers have unions, who should be organising this kind of action. But they don’t seem to do much. Industrial action has gone out of fashion, especially where kids are involved. On this issue, however, taking a stand now could have a massive, positive impact on the working conditions these very kids face one day. Missing a few classes so that they’re not forced to own smartphones in order to apply for, accept or carry out their first jobs? That seems a good deal to me. And a heroic thing for a teacher to do.
In a way, I almost welcome digital coercion via 2FA in entire industries and companies. Because it seems to me the best possible opportunity to take a united and effective stand against digital coercion. One that would achieve quick results. Provided people actually do it. Again, ASAP.
You can replicate the kind of ‘phone strike’ idea I sketched for teachers and cripple any business, society, system or organisation that demands that people’s private devices be used for operations. It’s obviously better than you or me doing a solo protest and landing up in trouble.
If multiple organisations were hit simultaneously, so much the better. This would be society as a whole sending a message that digital coercion is not on. Then even higher powers than your boss would have to start taking note.
A ‘phone strike’ doesn’t even need to involve breaking employment contract obligations. You’re not staying away from work, are you? You just aren’t bringing your personal, private phone to the office any more. No country with reasonable labour laws could allow you to be fired for that3. And anyway, they can’t fire the entire team.
I’m not expecting anybody to go this alone: heck, I wouldn’t be brave enough4! It needs to be group action. Safety in numbers. And all that takes is a leader and a little subversive communication. If you face 2FA-driven digital coercion in your workplace or some other key area of life, could you be that leader? Or do you know someone who might be?
Did you enjoy the read? Hope so - it took quite a bit of work! Now it’s your turn to get involved. Don’t be afraid - it could be as simple as taking a photo! Here’s all you need to know about how you can take action and help.
We’re not a big faceless organisation; we’re a bloke working in his spare time to make the world a better place! And hearing from you is the rocket fuel we need. Questions? Doubts? Feedback? Struggling for motivation? Ideas? We’re listening!
Offline Rights is free, because non-profit campaigns to make the world a better place should be accessible to all. However, Offline Rights will be a lot more effective if we can build a team and work on this full-time without having to waste energy on a day job. So, if you are able, please donate by buying us a virtual coffee!
Log in to? Into which you’re trying to log? Nothing sounds right here!
With so much discussion about smartphone addiction, particularly among young people, the idea of opting not to have one is going to have to be taken seriously at some point.
There’s supposedly a legal challenge around the Austrian teacher’s dismissal. Which probably explains why reporting on the matter has gone quiet. This is a country with highly developed, worker-friendly labour laws, so we’re awaiting news of a landmark judgement with bated breath.
In case you’re wondering... I’m freelance rather than employed. I would lose 95% of my income if I gave up my smartphone tomorrow. But I am a solo operator, not protected by any labour laws, and I have to live with the consequences of that. Freelancers are supposed to bring the necessary tools to work; it’s a take-it or leave-it life. Resistance in a work context is better suited to people within organisations - but I can still do plenty of resistance stuff as a citizen of the world, such as an old-school tax return, boycotting certain businesses and, or course, taking the time to motivate others with articles like this!