First off: I’m not saying that two-factor authentication (2-FA) is bad. It’s a rather good method. But people should be aware of what their authentication factors really are, and not presume properties that they do not have.
Let me explain.
We all know about the quality of the easy “something you know” factor: it’s a password/-phrase/-poem or similar, stuff that you can easily memorize and thus do not need to carry around outside of your head. Let me repeat: it’s a memorizable quantum of information. Thus, the only safe storage for this – logically – is your head, as this information can be extracted terribly easy by humans if it’s anywhere else. That means reading it off a post-it, finding the file containing the password – or even guessing it, because, let’s face it, many people use mnemonic passwords.
As the name of 2-FA implies, there’s also a second factor, often described be the phrases “something you have” or “something you are”. What these mnemonics insinuate is that there is nothing that you “know” about these factors, which – although in most cases mostly true – isn’t accurate.
When using common second factors like cryptographic tokens, keys, biometric data or similar, you shouldn’t forget that you’re still dealing with simple information. It’s just that this particular piece of information, usually, is not memorizable in the usual terms. A key’s beard can be easily mapped into information describing where the pits are, how deep they are, etc. A human’s DNA can be represented in a pretty long string. A key ring authentication fob is usually little more than a secret “seed” plus an algorithm applied to it.
So it’s not that it’s impossible to gain access to the second factor without possessing it, it’s just way less trivial than a simple effort of memorization. Key fobs don’t allow you to view the seed, for example, but if you can eavesdrop on a synchronization, you’re game – and don’t even need the key. Depending on the complexity of a physical key, a simple photograph is enough to fake it. And these are all methods where you wouldn’t even know your secret information was leaked, if done right.
Thus, always remember: two-factor authentication isn’t inherently secure. You need to protect all the factors equally well, and do not trust a factor to be “safe”. After all, you are susceptible to rubber-hose cryptanalysis.
For a quick popular culture example of authentication factor secrecy, the movie “Inception” is an unexpected but welcome candidate. (Spoilers.) In it, each character that delves into dreams is urged to fashion a “totem” with specific properties that only they know, so that they can check they’re not in someone else’s dream. It’s vital for them not to let anyone else see their totem, as it would give them the power to fool the other into believing in an invalid authentication.
Here, the information is physical, but due to the special nature, also memorizable. You might argue this reduces it into a “what you know” category, but it is a physical factor that allows you to verify that the current reality is the same as the one you created your totem in. Just due to the fact that the relevant system isn’t a computer but the real world shows how feeble the idea of a physical token actually is.