The Problem With Two-Factor Authentication

Two-factor authentication is, in principle, a good thing. It means that when accessing an online account, one has to have both an object and a password. “A thing you know, and a thing you own”.
This is great — for those who want it. Having it as a requirement, rather than an option, can cause serious problems.

I am on the autistic spectrum. I find talking on the phone distressing, even when it’s someone I know. I find dealing with strangers on the phone *extremely* distressing. I also dislike the presumption of contactability in modern society, in which we are expected at all times to be available to reply to instant messages, tweets, emails, texts, and phone calls at the convenience of the contacter. As an autistic person, I need to be able to withdraw and not deal with other people. Mobile phones remove that ability.

For this reason, I refuse to have or use a mobile phone. I occasionally, under *extreme* protest, take one with me when I’m going to be away from home, so my wife can contact me, but I have a deep and abiding phobia of the things.

Today I tried to register for Virgin Money’s online card management system — they changed their systems two months ago, and I’d not got round to registering for the new service until now. I got as far as the second screen, where the system *insists* on a mobile phone number, and will not allow you to proceed without it.

I phoned up Virgin Money (something I don’t like doing — as I said, I find talking on the phone distressing) and got told the following:
“No, you don’t need a mobile phone number to register, you can get the access code sent to your email address”
(After I explain that the access code is not the same thing, that this comes after entering that code)
“No, you don’t have to have a mobile phone for anything except text banking”
(After I explain that I am looking at the online credit card management registration page, that I have it in front of me at that moment)
“Can you enter your landline number instead?”
(After I explain that there is a separate box for my landline number, and that it wants the number for two-factor authentication)
“Can you use someone else’s mobile phone?”
(After I explain that I am not tying my credit card account to someone else’s mobile phone, because I’m not an idiot)
“Can you just click through?”
(After I explain that no, if I could just click through, I wouldn’t have bothered phoning up)
“My supervisor says you don’t need a mobile phone number”
(After I explain that his supervisor is, at best, mistaken, and that I don’t like being called a liar, because at this point I have had the evidence of my own eyes called into question multiple times)
“No, I can see you’re right. Can I put you on hold? [minutes later] Yes, it turns out there’s no way to do this without a mobile phone. Did you know you can buy a mobile phone for only…”

So, because of the imposition of two-factor authentication as a necessity, rather than as an option, I am forced to choose either never to use my credit card, to own a device which I have no wish ever to own and which would cause me stress, or to deal with Virgin Money entirely by phone, which would mean that every month I would have to phone a call centre and speak to the kind of people who, like the person I spoke to today, feel perfectly comfortable asserting that their own uninformed opinion overrides the actual experiences of the customer.

I’ve been using online banking for fifteen years, and have never in that time experienced any fraud based on not using two-factor authentication. I have no reason to believe I ever *will* experience such fraud, and am certainly willing to take that risk. Apparently, though, I am not *allowed* to take that risk on myself.

Technology can and should be a tool which enables people to take more control of their own lives, and which allows those who have different needs to meet those needs. Instead, it’s increasingly being used to create a set of inflexible systems which deny participation to those who don’t fit a set of accepted norms. This may seem a very minor thing in isolation — and it is — but it’s part of a wider pattern in which social assumptions (everyone has a mobile phone/everyone is either male or female/everyone finds touchscreens easier to use than buttons/everyone is visually, rather than verbally, oriented/everyone is happy with having only a single persona which can be seen by friends, family, and employers) get mapped to technology, which unlike society has no wiggle room for when its assumptions get challenged.

This entry was posted in Uncategorized and tagged . Bookmark the permalink.

4 Responses to The Problem With Two-Factor Authentication

  1. Nonconformistradical says:

    I’m not on the autistic spectrum – at least I don’t think so – but I sympathise with your attitude towards mobile phones. I do have one but give the number to very few people. It’s for personal uses only.

    Have you thought about ditching Virgin Money and getting another credit card from an organisation which doesn’t treat you like dirt?

    • Mike Taylor says:

      I recomment First Direct. Their Web UI is perfectly functional, and uses two-factor authentication based on a small dedicated device which they supply and which can’t do anything else besides providing you with a time-dependent code. Also: you only need the second factor if you’re doing something like making a payment for the first time to an account you’ve not used before. Most actions work just fine based on username/password/security question.

      (Also: when I do phone First Direct, they are excellent: they pick up on the second or third ring, and are both friendly and competent. They very rarely put me on hold, and on the occasions that they do it’s always for some specific and comprehensible reason.)

  2. andrewducker says:

    You can always have a mobile phone that’s set to divert all calls to answerphone. And an answerphone message saying “I don’t ever check messages, email me”.

  3. Pingback: Collected wanderings: a not the puppy non-round up | Camestros Felapton

Comments are closed.