Skip to content
benjf.com
benjf.com

Real content from a human brain

  • Home
  • About
  • ✞ Faith
  • Opinion
    • Politics
    • Health
    • Movies
    • Music
    • ☺ For Fun
    • Random Awesomeness
  • Technology
    • Desktop
    • Android
    • ✉ Email
    • Privacy
    • Programming
      • HTML
      • CSS
      • Javascript
        • jQuery
      • PHP
      • SQL
        • SQL Server
      • Powershell
      • MS Access
      • WordPress
  • Productivity
benjf.com

Real content from a human brain

TOTP 2FA (Two Factor Authentication) is silly

Writer #1, 2022-08-31

TOTP = Time Based One Time Password
2FA = Two Factor Authentication

Firstly, I use TOTP 2FA in a lot of places, mainly because it does add some security improvement. My contention is that is does little more than a longer password.

There is some chance that the segmented dual login process is more secure than simply a longer password because it creates a second wall to get over; a wall that you could not even arrive at without penetrating the first wall, so if you were trying to brute force your way through the second wall, you would have to keep passing through the first wall, which would slow you down considerably. There’s probably an argument to be made there, but I could just as easily create a two-password login system that uses two stationary passwords and achieve the same thing. In fact, a two-password login system might even be better.

So, here’s why I am calling it “silly”: The strength of 2FA is supposed to be the idea that you have a moving target. A short-lived password that lasts 30-60 seconds and then changes to something else, so it cannot really be brute forced. The problem is when you set up 2FA, they give you backup codes. Backup codes are a list of 5-10 2FA passwords that are frozen, non-moving targets. Essentially, it’s like protecting myself with a bullet proof vest and then painting bullseye on my forehead. Or like adding extra deadbolts to my front door while propping open my back door, just in case I lock myself out.

What you end up with is a list of multiple acceptable passwords. So, while there is a “time based one time” moving target that cannot be brute forced, you also have a list of 10 alternative stationary targets that can be brute forced. Again, 10! If I set up a two-password login system, there would only be one stationary target, and I could make it as long and as complex as I want. TOTP backup passwords are usually short and lack special characters, so they are not considered good passwords anyway.

Like I said in the beginning, having two medium thickness walls to penetrate could be better than one single thick wall… maybe. My probable conclusion is that 2FA is no more than extra characters on your password or a second login process. So, I use it, but I don’t think it’s any more secure than a good password.

Disclaimer: I’m no security expert. I’m just throwing logic at it. If you know I’m wrong, please tell me how.

Opinion Privacy Technology 2fasecurity

Post navigation

Previous post
Next post

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Love Never Fails
  • FIXED! Left Audio Only on OBS with Behringer U-Phoria UMC204HD
  • Gnome Alt+Tab Window Switching; How to ungroup the windows
  • Pay or else
  • 1Password App Integration With Browser Extension on Kubuntu (or Debian Linux)

Recent Comments

  1. LOL on Major Federal Budget Cuts – do the math
  2. Writer #1 on Online Privacy In The United States
  3. More About Sortable Dates; Plus AutoHotKey Scripts! – benjf.com on Date/Time Formatting Can Unite The World
  4. AutoHotKey Tips – benjf.com on Date/Time Formatting Can Unite The World
  5. Kevin on Moving FDLAUNCHERLOG in SQL Server

Archives

  • May 2025
  • April 2025
  • March 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • April 2024
  • March 2024
  • November 2023
  • October 2023
  • September 2023
  • July 2023
  • June 2023
  • May 2023
  • October 2022
  • September 2022
  • August 2022
  • May 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • June 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • July 2019
  • May 2019
  • April 2019
  • January 2019
  • December 2018
  • November 2018
  • May 2018
  • April 2018
  • February 2018
  • December 2017
  • September 2017
  • June 2017
  • May 2017
  • February 2017
  • January 2017
  • December 2016
  • August 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • December 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • October 2013
  • September 2013
  • August 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • October 2012
  • September 2012
  • July 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009

Categories

  • Ai
  • Android
  • C#
  • CSS
  • Desktop
  • EMail
  • Faith
  • For Fun
  • Health
  • HTML
  • Javascript
  • jQuery
  • Just Info
  • Linux
  • Movies
  • MS Access
  • Music
  • Opinion
  • PHP
  • Politics
  • Powershell
  • Privacy
  • Productivity
  • Programming
  • Random Awesomeness
  • Self Hosting
  • SQL
  • SQL Server
  • Technology
  • Uncategorized
  • WordPress
©2025 benjf.com | WordPress Theme by SuperbThemes