One of the offshoots of people constantly having mobile devices with them is the trend to using them for authentication. Many sites now are trending towards two factor authentication (including UBC), with phone calls, texts or other push notifications to mobile devices being used to verify a user.
When I worked in finance, I eventually was able to work at home when not required to teach a class. I had a keychain fob that generated a new password every minute, used to log into the company’s remote access system. It not only felt very James Bond-esque, but seemed justified as I would then have access to internal documents, client information, etc. Security makes sense. Now, this kind of security is being used everywhere.
While I understand the issues around this, and with increasingly sophisticated fraud and identity theft risks I agree in principle, the weak point in this is how much it’s being tied to mobile phones. It’s already difficult enough to break the habitual use of mobile devices, but when they become nearly essential to access so many applications, even when logging in through a desktop computer, the problem compounds. It also sets people up for issues with infrastructure. I spend a lot of time in Asia, and the location tends to prompt many North American apps and sites to flag my activity as suspicious, and thus require additional verification. Which sometimes work, but not every company will accommodate international text messages, and even if they do texts are not always reliably received. Even locally this is an issue: I needed to replace my damaged bank card recently, and despite having my old card, PIN number and government issued photo ID, they sent an SMS code to my phone number. For whatever reason I wasn’t receiving it, requiring a manager to help out. Seems excessive.
I like the idea of mobile technology being a companion tool that can offer a lot of enhancements and convenience. I’m less fond of needing my phone to verify who I am.
Hello Devon,
Awesome post! You know what’s funny? I was watching Mr. Robot the other day, and there was a character targeted because their keychain fob was necessary for the hack job. As for two-factor authentication or mobile authentication, I too feel that it should not count towards the top options for personal verification or when dealing with customer service-related encounters. Not all clients have devices. The thing is, we cannot expect the client to have a personal device or cell phone as an extension to their body. We have the right to rely on government-issued documents, don’t we? We should have the option rather than to be denied a service. Providing ID, personal information, and answering security questions should be sufficient enough.
Another problem is that we opt out of personal privacy when we attach our cell phone numbers to our personal accounts. It has become out of hand. Back in the day, phone numbers were only used for contact reasons. Now, it’s for verification, text message confirmation, links, codes, PINs. Now, everything seems to be one-time use and the amount of communication feels almost controlling. It is almost a form of social media and a beast of notifications.
Thirdly, it should feel bothersome that these personal apps and companies have digital access to our phones at whatever capacity. The cookies…Our information is stored on our phones. How do we break away from these companies? How do we establish digital boundaries? It’s hypocritical because I just praised and supported travelling apps but that feels like a separate category.
Hi Devon,
Really good post. I think your point about compounding the issue of attachment and infrastructure to mobile devices in pursuit of greater security is right on point. I work in a hybrid environment and my work laptop requires multi-factor authentication (MFA) when I’m not on site, which can be time consuming and a barrier to accessing important working files. We’re first required to log into the server which gives us access to our local shared drive, but to access specific web-based applications like Office 365, the prompt for MFA appears and I’m required to use my phone. While the occasions are infrequent, I would at least like the option sometimes to put my phone away or even turn it off if I am wanting to focus on specific tasks, but due to the number of times I’m required to log in (timed out of the server, connection issues, issues with the app itself in authenticating etc.) it’s not really possible. I agree security is important, but more often than not I find the process of MFA across multiple areas of life to be overbearing.
Hi Devon,
Thank you for your post. While I understand the importance of mobile authentication, I think the reliance on phones and the need to do it each time is annoying. Often, I will want to log onto a website or do homework and it’s usually when I purposely turn my phone off or leave it in another room so I can get some work done, then I will be required to do the two factor authentication. I totally share your statement that needing to have a device to verify who you are or even use certain applications is something that doesn’t seem right in my gut.
Jasmine