Hi Lifehacker, I use two-factor authentication everywhere I can. Most times I’m accessing one of my online accounts I do so on my PC, and my smartphone is the second factor. But as more and more gets done on smartphones I’m wondering how it will still be relevant to have two-factor protection. What’s the point of having two-factor authentication if the second factor is the same device? Thanks, Security Curious
Picture: Getty Images
You’re right — if you’re trying to secure an application on your phone by using a code sent to your phone, then the level of protection is essentially non-existent if someone can log into the phone. We pointed this out with respect to online banking earlier this year, but it’s an issue that can arise with any web or app-based service.
That doesn’t mean we should abandon two-factor. Many people want to access services on more than one device, and the use of two-factor certainly provides a higher degree of protection than doing nothing at all. No security solution is perfect.
Two-factor operates alongside device passwords, analysis of user behaviour and awareness of physical security to provide a relatively secure environment. If an app is going to be accessed solely on a phone, then a second form of security (such as a unique one-time code generated by a security token) might be appropriate as well.
This issue is also why services such as Gmail and Hotmail provide recovery codes which can be used if you lose access to your phone. That creates a recovery option independent of the device itself.
Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.