When 2FA harms privacy

Big platforms seem to love 2FA in 2022. Google even forces 2FA during account setup and configuration for popular services. Facebook and many other social networks require now a phone number.

So far so good. It significantly hardens account security by adding an extra step during the authentication. However, it might also be used against users to tie an account to a real identity.

Permalink to heading The creepy social networks The creepy social networks

Many content creators and celebrities complain about social platforms. While it brings them popularity and sometimes substantial revenues, it can also trigger all kinds of persecution.

People often blame “anonymity” as the culprit. Because you don’t have to give your real name during the account setup, many harassers and stalkers have been used fake accounts to satisfy their creepy desires and their need for attention.

There are many ways to deanonymize these lost souls, though. Authorities and platforms can ultimately identify them with technical data such as the IP address or a collection of signals extracted from the browser and device’s fingerprints.

Besides, the rules have changed. You can no longer create accounts on most platforms without providing a phone number or confirming your identity with a trusted device.

You can still create multiple “isolated” accounts with cute nicknames and no relations, but it will be tied to a device and a phone number, and thus, a real identity most of the time.

Permalink to heading Mobile hardware don’t lie Mobile hardware don’t lie

Your mobile follows you everywhere. In 2022, there are so many possible usages such as talking with relatives and friends, connecting to bank accounts, or buying stuff, for example.

Besides, mobile phones are significantly more identifiable than PC. Whether you use an iOS or an Android device, it has an identification number and other unique information that are impossible to hide.

That’s essentially what I mean by “device fingerprints.” You can find your serial number or IMEI (International Mobile Equipment Identity) in your phone settings or by dialing *#06#.

As far as I know, you can’t modify this number without breaking several laws in most countries. Google, for example, collects this number.

Permalink to heading Tracking across multiple devices Tracking across multiple devices

It’s not uncommon to use multiple devices these days, but with 2FA, platforms can completely identify and track users across all their devices.

There’s only one mobile device allowed as a trusted device, a.k.a your smartphone, to confirm your identity during authentication. As a result, there’s no way to use the service without providing your real identity, regardless of the device.

I’ve tested it, and it’s not another dystopian scenario. It’s the current situation. Big platforms highlight new privacy-compatible ways to track people, such as cohorts, but I don’t see any revolution in their approach of 2FA.

Google forces its users to use its applications to secure accounts. It just collects real identity and location. This way, even tech-savvies that want to try alternative methods to authenticate will have to link their smartphone to their account and accept Google tracking.

Permalink to heading Should we enable 2FA or not? Should we enable 2FA or not?

100% yes. The problem is not 2FA itself but the twisted and restricted version of this security feature provided by big platforms.

For now, there’s no easy way to circumvent this “Big 5 Strike Back”. You could switch software and services or, in a less radical approach, use a dedicated device for 2FA. However, it seems pretty constraining, and I seriously doubt it could become a major trend.

I made this ironic Star Wars joke (The Empire Strikes Back) deliberately, though, because I think one should see the problem beyond any ethical, moral, or political concerns. Don’t get me wrong, they are essential aspects of life, but big platforms want to make money.

Privacy and cybersecurity awareness can play a big part in that perspective, making those companies’ questionable practices and extravagant data collection a little riskier.

The more people write and talk about it, the more chance we have to influence critical decisions that affect our lives so dramatically.