[dheera]

I never understood the point of 2-factor authentication, and moreover, certain agencies (e.g. banks) that force using it. Can't we just pick good enough passwords?

Personally I hate being {attached to|associated with|being required to carry} a particular piece of hardware; I much prefer that information freely flows with me as I move between the various devices I interact with over the course of a day.

There are many times I don't carry my phone around with me or do not wish to, simply because I have a terminal that loads my personalized environment everywhere I go. Information flows with me, not hardware.

[jcoene]

You're expressing a preference for convenience over security. The truth is that most people pick bad passwords, and even good passwords can be cracked.

2FA with a physical component is generally the best way to achieve the goal of "information flows with me". With a password only, you can more aptly describe the situation as "information flows with anyone who knows my password".

[dheera]

In that case, can we do 2FA with something biometric? Or even 2 passwords?

A physical component has a lot of issues:

* It can be stolen or robbed at gunpoint. Torture, drugging, and hypnosis aside, your mind is much more secure.

* It can run out of batteries.

* It's one more thing you can lose. It's already annoying enough to have to remember to carry 7 or 8 things every day, including a phone, bike light, smart watch, tablet, battery pack, reusable utensils, and so on. I don't want to have to add more things to this list.

* It can be damaged by the elements.

* It can be difficult to give access to others who you want to give access to.

* It may have security holes of its own, both in hardware and in software.

* When damaged or robbed, the user is highly inconvenienced, to the point that they are unable to access their own money/accounts/etc. How do get food, water, and get home from the middle of nowhere after your wallet and phone have been taken from your person? With password-only methods, you could theoretically find a nearby public terminal, log in with a simple username and password, and get an ride/call a friend/file a report/do whatever you need to do.

* If it relies on cellular service, it may not work internationally if the user changes SIM cards or devices. For many that live near border towns and cross borders every day for work, this becomes a massive inconvenience.

[Karunamon]

Biometrics make great usernames but poor passwords since they can't be changed. Imagine a fingerprint system of some kind - someone images your fingerprint from, say, a leftover coffee cup (not hard or expensive to do), and you're pwned.

[mongol]

The Yubikey does not run on batteries. It requires no cellular service. It can be damaged by the elements but not easily. Most electronics would break before it does. Of course you can lose it, but you can lose anything. Attach it to something you care about, such as your regular keychain. If you want to give access to someone, register a second key and lend that key to them. Then revoke when they don't need it.

[dheera]

What if I don't want to carry keys around? My house door can be opened with a password. I only need to carry myself.

[reitanqild]

  > I never understood the point of 
  2-factor authentication

Ouch. People choosing bad passwords has been mentioned already but the real reason is because it protects against a broad range of MITM attacks as well as some sorts of phishing attacks.

[lfowles]

The point is that without it, information just as freely flows to someone with your password across the world. Getting USB sticks like this is a win for me, I hate using my phone for 2FA as well, but something I can just toss on my key ring? Hardly a burden.

[dheera]

What if the thing you're trying to access from doesn't have a USB port? Like, an intelligent table surface, a digital wall, a smart goggle device, or even an tablet that only has a micro-USB port?

Information flow protocols and hardware should be abstracted and separated in the same way that we generally separate church and state in most modern nations. Otherwise, the innovation of either is going to be pulled behind by the other.

[mongol]

Likely the next step for those will be NFC communication. Yubikey NEO has this for example, and can be used with Android phones. Note that U2F uses challenge - response protocol so sniffing the radio waves will not reveal the secret.

[lfowles]

Depends on what you're trying to auth with. For example, I was just reading about activating 2FA on my Google account and the backup options were:

* SMS Verification code

* Manually generated list of backup verification codes

[dheera]

A lot of services seem to love using SMS-based 2FA. Thing is, I've already made a personal decision to ditch SMS as antiquated technology (along with the telegram), in favor of e-mail, WeChat, WhatsApp, Facebook and other communication alternatives.

Since some apps apparently still want to cling to old technology, I have one SMS-enabled phone number -- a Google Voice number which forwards to my e-mail address. I don't need to carry my phone around to get my SMS messages. But then again, it's not really 2FA anyway, it's just an annoyance; effectively 2 passwords (one to login to the app, one to login to my e-mail to check my SMS messages).

[tokenizerrr]

Then you fall back to using TOTP (Google Authenticator), or SMS codes, or printed backup verification codes.