A problem with Two-Factor Authentication

Guess who’s back!

Mailer dæmon icon based on icons by Aha-Soft, (Creative Commons) and David Robertson
I hold a credit card account with a financial institution which shall remain nameless, aside from the observation that their name suggests that they’re America’s national bank. Personally, I prefer credit unions, so my wife and I use the card only as a backup, in case something goes wrong with the credit union’s card.

For reasons that don’t require elaboration, that happened last month. When the bill came due, I went to visit their website. It was the first time in months, if not years, so upon logging in I encountered a web page happily offering to let me pay my bill — so long as I verified my identity first.

Very well; I understand the problem. I selected the option for a text message with a security code to my phone and waited.

And waited.

And waited.

Did I mention I was waiting? Because America’s would-be national bank seemed to have forgotten me.

This must not be that uncommon, as they had an option to request another code. I clicked on that button, again selected my phone, and waited.

And waited.

And waited.

At this point I noticed a warning on the webpage that the code is valid for only 10 minutes. It’s been a good 5 minutes already. Hmmm…

Alright, let’s try a security code via email. I selected that, and… that worked! Within moments, my email held a security code. Off I go and log in.

On the one hand, I like that resolution, because email is civilized, while telephones are barbaric.I’ll revisit this eventually, but in short: with email you can notice that someone needs your attention, triage the request against others, as well as your own urgent obligations, or even your not-so-urgent obligations, then reply at your convenience. You can silence an email client without feeling too guilty.

Telephones, by contrast, demand urgent attention, now, now, now — which woudln’t be so bad if people would use telephones for urgent matters, which they almost never do.
The situation was resolved, and the bank gave options. Very good.

On the other hand, email accounts are hacked pretty often, and email is an insecure medium. That’s not so great.

What happened to those text messages, anyway? I learned about 36 hours later, when one of them popped up on my phone… then again 60 hours later, when the second popped up on my phone.

“Ten minutes”, eh?

So, infotech’s solution to security failures on their end is to foist on users increasingly unreliable, highly inconvenient nuisanceware that even major financial institutions of national reach can’t implement correctly.

Should I go ahead and fill out a check to the Mailer Dæmons gang now?