I don’t think that the problem is 2FA itself so much as poor UX on existing systems.
Let’s say that I have a little USB keychain dongle in my pocket with an “approve” button and a tiny screen. When I sign in, at the time that I plug my password in, I plug the dongle in. It shows the information for whom I am approving authentication. I push the “approve” button.
It’s got a trusted display (unlike a smartcard, so that a point-of-sale system can’t claim that I’m approving something other than what I am).
It can store multiple keys, and I basically use it for any credentials that I don’t mind carrying with myself.
I then keep another, “higher security” dongle at home with more-sensitive keys.
Does that add some overhead relative to just entering my password? Yeah. But is it a big deal? No. And it makes it a lot harder for someone to swipe credentials.
I agree that using phone-linked SMS 2FA authentication is problematic (for a number of reasons, not just because it locks you to a phone, but because there are also privacy implications there).
I don’t think that the problem is 2FA itself so much as poor UX on existing systems.
Let’s say that I have a little USB keychain dongle in my pocket with an “approve” button and a tiny screen. When I sign in, at the time that I plug my password in, I plug the dongle in. It shows the information for whom I am approving authentication. I push the “approve” button.
It’s got a trusted display (unlike a smartcard, so that a point-of-sale system can’t claim that I’m approving something other than what I am).
It can store multiple keys, and I basically use it for any credentials that I don’t mind carrying with myself.
I then keep another, “higher security” dongle at home with more-sensitive keys.
Does that add some overhead relative to just entering my password? Yeah. But is it a big deal? No. And it makes it a lot harder for someone to swipe credentials.
I agree that using phone-linked SMS 2FA authentication is problematic (for a number of reasons, not just because it locks you to a phone, but because there are also privacy implications there).
Noted :)