Two-factor authentication is, in principle, a good thing. It means that when accessing an online account, one has to have both an object and a password. “A thing you know, and a thing you own”.
This is great — for those who want it. Having it as a requirement, rather than an option, can cause serious problems.
I am on the autistic spectrum. I find talking on the phone distressing, even when it’s someone I know. I find dealing with strangers on the phone *extremely* distressing. I also dislike the presumption of contactability in modern society, in which we are expected at all times to be available to reply to instant messages, tweets, emails, texts, and phone calls at the convenience of the contacter. As an autistic person, I need to be able to withdraw and not deal with other people. Mobile phones remove that ability.
For this reason, I refuse to have or use a mobile phone. I occasionally, under *extreme* protest, take one with me when I’m going to be away from home, so my wife can contact me, but I have a deep and abiding phobia of the things.
Today I tried to register for Virgin Money’s online card management system — they changed their systems two months ago, and I’d not got round to registering for the new service until now. I got as far as the second screen, where the system *insists* on a mobile phone number, and will not allow you to proceed without it.
I phoned up Virgin Money (something I don’t like doing — as I said, I find talking on the phone distressing) and got told the following:
“No, you don’t need a mobile phone number to register, you can get the access code sent to your email address”
(After I explain that the access code is not the same thing, that this comes after entering that code)
“No, you don’t have to have a mobile phone for anything except text banking”
(After I explain that I am looking at the online credit card management registration page, that I have it in front of me at that moment)
“Can you enter your landline number instead?”
(After I explain that there is a separate box for my landline number, and that it wants the number for two-factor authentication)
“Can you use someone else’s mobile phone?”
(After I explain that I am not tying my credit card account to someone else’s mobile phone, because I’m not an idiot)
“Can you just click through?”
(After I explain that no, if I could just click through, I wouldn’t have bothered phoning up)
“My supervisor says you don’t need a mobile phone number”
(After I explain that his supervisor is, at best, mistaken, and that I don’t like being called a liar, because at this point I have had the evidence of my own eyes called into question multiple times)
“No, I can see you’re right. Can I put you on hold? [minutes later] Yes, it turns out there’s no way to do this without a mobile phone. Did you know you can buy a mobile phone for only…”
So, because of the imposition of two-factor authentication as a necessity, rather than as an option, I am forced to choose either never to use my credit card, to own a device which I have no wish ever to own and which would cause me stress, or to deal with Virgin Money entirely by phone, which would mean that every month I would have to phone a call centre and speak to the kind of people who, like the person I spoke to today, feel perfectly comfortable asserting that their own uninformed opinion overrides the actual experiences of the customer.
I’ve been using online banking for fifteen years, and have never in that time experienced any fraud based on not using two-factor authentication. I have no reason to believe I ever *will* experience such fraud, and am certainly willing to take that risk. Apparently, though, I am not *allowed* to take that risk on myself.
Technology can and should be a tool which enables people to take more control of their own lives, and which allows those who have different needs to meet those needs. Instead, it’s increasingly being used to create a set of inflexible systems which deny participation to those who don’t fit a set of accepted norms. This may seem a very minor thing in isolation — and it is — but it’s part of a wider pattern in which social assumptions (everyone has a mobile phone/everyone is either male or female/everyone finds touchscreens easier to use than buttons/everyone is visually, rather than verbally, oriented/everyone is happy with having only a single persona which can be seen by friends, family, and employers) get mapped to technology, which unlike society has no wiggle room for when its assumptions get challenged.