Australian government tells citizens to turn off two-factor authentication

[h2]Australian government tells citizens to turn off two-factor authentication[/h2]

Australian government tells citizens to turn off two-factor authentication

The Australian government has repeatedly called for citizens to turn off two-factor authentication (2FA) at its main digital government portal, myGov. The portal’s Twitter account has recently been updated several times with cute pictures encouraging holidaymakers to “turn off your myGov security codes” so that “you can spend more time doing the important things.”

The portal is the place where Australian citizens can use and manage a number of governmental services, including health insurance, tax payments, and child support. In the case of myGov, two-factor authentication is implemented by sending users text messages that contain one-time codes to complement their usual passwords.

A number of people on Twitter pointed out that, while downplaying security isn’t a good idea in general, it could be even more dangerous when citizens go abroad:

Going out of mobile range? Turn off myGov Security Codes so you can still sign in! Go to ‘settings’ in your account

The reasoning behind myGov’s suggestion is understandable: some tourists will swap their Australian SIM cards to local ones while on holiday. Once this is done, they won’t be able to receive myGov security codes without reinstalling their Australian SIMs, which is a hassle.

The government’s suggestion, however, goes against the whole raison d’être of two-factor authentication, which is to provide an additional layer of security when logging in on the Web. 2FA is even more important when you’re not on a trusted home or office network, which is why the Australian government’s recommendation to turn off 2FA is rather jarring.

In the wake of criticism from users for the unsafe advice, myGov posted on Twitter that people who turn off security codes will “still need to securely sign in with secret questions & answers.” The tweet offers a link to read more on the possibility, however the page it leads to doesn’t mention it.

Even if it did, though, a few additional passwords aren’t a true replacement for good ol’ two-factor authentication.