In the last exciting installment of my two-factor authentication (2FA) odyssey, I got to the point of having to reset my Authy account because I messed up keeping records of the token backup password and the PINs used to protect the apps on my three devices.
By the way, if you’re thinking this sounds complex, it is. I like to think I’m not stupid, but this has been tortuous for me and I was already beginning to think (a) I may never get it working (b) even if I can, the majority of non-IT specialists never would.
Anyway, after my account was reset I duly reinstalled the apps on my phone, iPad and PC, set (and recorded) all the passwords and PINs, and took a deep breath. Back I went to setting up 2FA on my Gmail account. This again proved incredibly frustrating, with the Android app being confused by the old entry not being deleted; then I ended up with two tokens for Gmail! And it takes 48 hours to delete them!! In a fit of indignation I decided I’d had enough and disabled 2FA on Gmail again.
After cooling off and steeling myself to try again, I went to the Android app and found that (a) the Gmail tokens I thought I’d deleted were still there (b) the protection PIN on the app seemed to have been turned off. What. Is. Going. On??
Enough is enough. Regardless of its technical merits, and all the advantages compared to “simple” SMS-based 2FA, this was just never going to work for me. Reluctantly, I initiated deletion of my Authy account.
I admit defeat.
I’ll still look into 2FA, and the risks of using SMS, and needing a backup method in case your phone is lost or stolen, and all the rest of it. But the “superior” way with an authenticator app is just way too complicated. If I want to spread the word to non-IT specialists about how to improve their online security, people have to be able to understand it and manage it themselves. If they can’t, they won’t bother.
The odyssey continues.