Softpedia >News >Security
Softpedia Homepage   

Australian Government Tells Users to Turn Off Two-Factor Authentication

Australian government had good intentions, gave bad advice

Dec 25, 2015 16:11 GMT  ·  By
Australian government advises citizens to turn off 2FA while traveling
   Australian government advises citizens to turn off 2FA while traveling

The Australian government is telling users that travel abroad for Christmas and any other period to turn off their 2FA (two-factor authentication), in a move that has made many security experts cringe and pull their hair out.

The advice comes from myGov, the Australian government's online portal where users can manage various government services online.

The portal's administrators thought it would be a good idea to tell users, via their Twitter account, to turn off 2FA while traveling abroad.

2FA works as an extra authentication layer against the classic username & password combo. Services that have 2FA turned on work by sending an additional code to the user, generally in the form of an SMS message.

Because Australians that travel abroad usually change their SIMs while in other countries for one they use only during their vacation, persons who want to access the myGov website won't be able to authenticate because they'll never receive the SMS code, or will have to swap their SIM cards.

To avoid any inconveniences, myGov administrators are asking users to turn off 2FA while on holiday, and then turn it on when they come back.

Who in their right mind wants to do taxes while on vacation?

Taking into account that the myGov portal only provides access to government services like tax payments, health insurance data, child support, and other government-related services, it is hard to believe anyone would interrupt their vacation to do their taxes or solve formal affairs during this time.

And in case they did, just because of the sensitive information associated with those accounts, many users would actually want to go through the hassle of changing a SIM card just to securely authenticate on myGov.

The entire idea is preposterous and shows once again that security is still an afterthought for many online services, whether from the government or private sector.