How to spot poor implementations of 2FA

I enable 2FA every time it’s possible, and I encourage you to do the same.

2FA means two-factor authentication. It’s an extra layer of security that forces you to enter one-time passwords (OTP) in addition to your classic credentials (login/passwords).

Most of the time, it’s a series of 6-8 numbers that are sent by SMS or generated with a dedicated mobile app. This way, it’s another device, for example, a smartphone, that holds the authentication factor.

Besides, even if your credentials are stolen or leaked, hackers won’t be able to use them theoretically. The problem is that some implementations are flawed or prone to attacks.

Permalink to heading Disclaimer Disclaimer

It’s not an exhaustive list but a collection of simple observations.

Permalink to heading 7 signs of bad 2FA implementation 7 signs of bad 2FA implementation

*6-8 numbers is the equivalent of a very weak password during a Brute-Force attack

Permalink to heading How to fix the situation How to fix the situation

Again, enabling 2FA is a valid choice, regardless of the implementation, but if you see something strange, like one of the 7 signs we’ve just saw, do not hesitate to report it to the apps/websites/services.

Fortunately, not all implementations are that bad. While even the most robust ones can be bypassed under specific conditions, 2FA hardens your security significantly.