The usability impact of 2FA

Securing your online accounts isn’t a one-time process. It’s something you need to evaluate on a regular basis. That’s what I did for instance when I learned about the onliner spambot data breach. At that moment in time I reviewed my accounts and where possible I changed the email address for a particular account to an alias reflecting the used service. You can read more about that here.

Another thing I often do is checking the security settings for my accounts. That’s how I noticed today that 2 factor authentication (2FA) has become available for a service I use. As I hadn’t turned it on yet, I decided to do so. I sent my colleagues a mail advising them to do the same and I was already anticipating about the “yes but it’s a usability barrier” kind of argument by explaining that activation is really smooth and simple. Install an authenticator app if you don’t have one yet, scan the QR code, enter the activation code and once more enter a code generated by the app and you’re good. After that’s done you don’t have to enter a code again for the same device (or browser). In this case the user experience was really smooth, but this is unfortunately not always true. Anyway, it got me thinking. What’s the worst user experience one can encounter after activating 2FA?

Well, think for instance about what happens if your smartphone dies and you’re using a generator app on that phone for generating the Time-based One-time Passwords (TOTP). When you haven’t created backup codes or activated any other fall back mechanism you’re — in the best case temporarily — locked out of your account. You might be able to recover access to your account by proving in some way that you own the account (and hope you can convince the particular service to disable 2FA for you) but it could be very hard or even impossible.


  1. Activate 2FA to improve your account security, some good resources covering how to set up 2FA for a lot of websites can be found here and here, BUT
  2. Activate a fallback strategy. Ask yourself for each 2FA enabled account: “Can I still access my account without the code?”. If the answer is no and the service you use doesn’t provide any fallback mechanism, it might be better to disable 2FA all together. If the answer is no because you did not configure a fallback mechanism do it straight away!
John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life