More like this

Security

Australian government urges holidaymakers to kill two-factor auth

Um, not sure you thought this one through

The Australian government is urging its citizens to turn off two-factor authentication while abroad.

The official Twitter account for myGov – a portal for accessing government services online – told Aussies this week: "Going overseas this summer? If you're registered for myGov security codes make sure you turn them off before you go."

The startling tweets come complete with professional cartoon graphics, clearly suggesting that rather than a civil servant going rogue on an idle afternoon, the advice was produced as a matter of policy.

The myGov website allows Australians to tap into a broad range of government services including tax payments, health insurance, child support, and so on. Since this tends to involve sensitive personal information, it's wise to protect one's account with two-factor authentication – such as a one-time code texted to a phone that needs to be given to the website while logging in.

There's a fear that while citizens are overseas, they may not be able to reliably get these text messages (or be charged an extra fee to receive them) if they try to use myGov. So the advice is: turn off this protection when out the country, and turn it back on again when you return.

Except, of course, that rather misses the entire reason for two-factor authentication, and puts convenience above the actual security of your information.

What's more, people are significantly more likely to be using online services in less secure settings when they are abroad, making the decision to remove a vital mechanism all the more likely that their accounts will be compromised.

In other words, this is really terrible advice.

The entire point of two-factor auth is to make it so that if someone manages to snatch a look at your username and password, they can't automatically log into your account.

As such, the Australian government is doing is the exact opposite of what it should be doing, which is educating people about alternative ways to secure their accounts, rather than pushing the crazy message that security is about convenience and that you should simply drop it when it requires a little extra effort. ®

Sponsored: Global DDoS threat landscape report