This would work perfectly if it weren’t for all the humans: Two factor authentication in late modern societies

Abstract

Late modern societies are now dependent on innumerable digitally networked technologies, yet there are intractable incongruencies between the technologies that we develop, and the corresponding technological literacies of users. This disjuncture has greatly increased the scope and scale of the risks to which globalized publics are exposed. With public cybersecurity literacies necessarily in decline as a result of the techno-social dynamism of “liquid modernity”, we now face an immense and exponentially growing matrix of cyberthreats and vulnerabilities, of which many carry potentially catastrophic consequences. Our interrogation of two-factor authentication systems, popularly implemented through short messaging services (SMSs), is demonstrative of vulnerabilities that continue to emerge as a result of widespread and entrenched disjunctures between the design of contemporary ICT systems, and the various flawed assumptions that undergird their implementation. We examined 400 authentication messages that were automatically posted to a public forum by Web sites commonly used to receive SMS authentication tokens on behalf of users. We found that 76.5 percent of those messages included the name of the application for which the message was intended: in so doing, over three quarters of our sample risked compromising their accounts. Occasionally, we even observed usernames and passwords posted together. The socio-technical implications of our findings for ICT system design in today’s globalized late modern societies are discussed.