3

Most websites (that I have seen) that implement two factor authentication don't support multiple two factor authentication devices linked to one account.

The biggest reasons I can think of for that are additional complexity of the two factor authentication system, and performance considerations. But I'm not sure if there are any security related concerns.

Is there any security related concerns for allowing users to have multiple two factor authentication devices linked to their account? Or is it just performance and complexity related concerns?

Improve this question
3
  • 1
    It's not the websites that need to support it, but the 2FA process that needs to support it. And it can. Commented Apr 14, 2019 at 19:30
  • @schroeder Yes, I wasn't clear enough about that. It's not the front-end that needs to support it, it's the authentication/2FA/backend system/process that needs to. But the question I think is still valid about if it has security concerns considering no systems/processes I've seen for that implement that. Commented Apr 14, 2019 at 19:32
  • 1
    Most services that "do it right" allow multiple devices. Every service I've seen that allows U2F and most services I've seen that allow TOTP allow multiple devices. Commented Apr 14, 2019 at 19:35

1 Answer 1

Reset to default
2

There's no back-end complexity issue with multiple 2FA devices. The issue is the trade-off between security and convenience, which is the age-old problem of authentication systems.

The "two factors" in two factor authentication are a thing you know (your memorized secret, or password) and a thing you have (your 2FA device, security key, etc). If you allow the thing you have to be many things, it significantly increases the chances of the thing that you are supposed to have is in the hands of someone else, which eliminates the advantage of having a second factor at all. Especially since the only reason you would ever need more than one device is if your primary 2FA device isn't where you are.

If your second factor device is a device with biometric capability (in other words, the fingerprint scanner on your phone), then your 2FA software of choice might use that to introduce a third authentication factor, a thing you are (your fingerprint, iris, voice or any other biometric measurement can be considered a thing you are authentication factor), which allows more confidence that the thing you have is truly only authenticating you, even if it's in an attackers hands. But either way, you're extending trust and risk beyond the minimum that's required to be most secure.

Of course, your threat model might mean that you judge the risk from having many devices able to authenticate you, potentially all in different places with different people able to physically access the something you are supposed to have, as an unimportant risk. As other comments have pointed out, many 2FA solutions will allow multiple devices. Use your own judgement as to whether the trade-off is acceptable for you.

Improve this answer
1
  • On the other hand, if your second factor gets lost, the service provider likely won't want to lock you out completely with no chance of recovery. This is why Google's advanced protection requires at least 2 U2F keys, so they can make account recovery without a security key much more difficult (since you have a backup key, it should be less likely the account will need to be recovered). Commented Apr 14, 2019 at 20:55

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.