45 MFA and 2FA Jokes
The push prompt arrived while my phone was in the other room. By the time I got there, the timer had run out and the login had failed and a new prompt was already waiting.
I approved the wrong push. The right push showed up two seconds later. My account is now signed in on a device I do not own.
The SMS code arrived. It arrived an hour later. It arrived to the carrier I had in 2019.
NIST deprecated SMS as a second factor in 2017. My bank, my brokerage, my electric company, and my dentist all still use it.
SMS code arrived from a country code I have never visited, signed by a sender I cannot read. I typed it in anyway.
The voice call MFA option dictated my code at the speed of a horse race announcer. I asked for it again. The second attempt was slower and somehow less coherent.
The authenticator app is on the old phone. The old phone is in a drawer. The drawer is in the apartment I moved out of in 2021.
Reinstalled the authenticator. Thirty seeds vanished into a clean white welcome screen with a friendly tour and zero recovery options.
The authenticator app got an update. The update reset all the seeds. The update notes called this an improvement to the user experience.
I switched phones. The authenticator did not come along. The apps that depended on it have all locked me out, individually, with different recovery flows, on the same Saturday afternoon.
Apple migrated my authenticator to the new phone. Google did not. The accounts secured by Google Authenticator now live on a phone in a drawer.
Lost the YubiKey. Last saw it when I was being responsible about backups.
Found a YubiKey in a coat pocket. The coat is from a different season. The YubiKey unlocks an account I cannot remember registering it to.
The YubiKey is in the laptop bag. The laptop bag is at the office. The office is closed. The account I need is the one that unlocks the office door schedule.
The backup YubiKey is at home. The primary YubiKey is at the office. I am at the airport. The flight is in twenty minutes. The booking confirmation requires MFA.
Plugged the YubiKey in upside down. The site said the key was not recognized. Plugged it in the right way. The site said the key was not recognized. The site has not been recognizing the key since 2021.
The TOTP code expired between reading it and typing it. The next code expired between glancing up and glancing down. I have begun typing codes from the future.
The clock on the phone drifted by ninety seconds. Every TOTP for the day rejected. The clock now rules my entire authentication life.
The recovery codes are in a file. The file is on the laptop. The laptop is locked. The lock requires MFA. The MFA requires the recovery codes.
I printed the recovery codes. I put them in a safe place. The safe place is so safe that I have, on multiple subsequent occasions, mistaken it for an unsafe place and looked elsewhere.
Saved the recovery codes to a password-protected note. The password to the note is in the password manager. The password manager requires MFA.
The recovery code worked. The recovery code is also single-use. I now have one fewer recovery code and exactly the same problem.
Used a recovery code in 2021. Used another in 2022. Used another in 2023. The list is finite. The next reset is also coming.
The MFA fatigue attack sent me forty-three push prompts in twenty minutes. By prompt thirty-eight I was so tired of declining that I almost tapped the wrong one. By prompt forty-three I muted the app.
The push attack landed during a meeting. I declined every prompt and pretended my phone was acting up. The attacker eventually gave up. The meeting continued. I aged four years in nine minutes.
Number matching was added after the fatigue attacks. The number-matching prompt now asks me to type a code into the phone instead of approving on the phone. The phone is in the other room.
FIDO2 fixed phishing. FIDO2 also fixed lockout. The lockout is now permanent and unphishable, which is the security industry working as intended.
Passkeys are the future, said the article that opened on a site that did not support passkeys.
Set up passkeys on the new phone. The passkey synced to iCloud. The Android tablet cannot see the passkey. The passkey will not let me sign in on the tablet. The article that recommended passkeys did not mention the tablet.
WebAuthn is supposed to be cross-platform. The cross-platform part is the line in the spec.
MFA enrollment requires the security key, the phone, the laptop, and a notarized statement that I am the person whose email I am about to enter.
The enrollment flow said scan this QR code. The QR code expired in sixty seconds. The QR code was on a screen the camera could not focus on. The camera was a Mac webcam.
The QR code printed on the bank letter is grainy. The authenticator app cannot read it. The bank suggests calling the helpdesk. The helpdesk requires MFA to authenticate.
I lost the device. The recovery flow asked for two pieces of identifying information. The information was last updated in 2017. I have a different last name now.
Helpdesk verified my identity by asking the answers to security questions I set up in 2014. I do not remember the answers. The helpdesk remembered them with me. The verification still passed.
MFA reset required a video call with my photo ID on screen and a fresh handwritten note with the date. The note was returned with feedback. The feedback was that my handwriting did not match.
The shared inbox uses MFA. The MFA is on one person's personal phone. The one person is on vacation. The shared inbox is on vacation too.
The team Slack workspace MFA recovery requires the workspace owner. The workspace owner left the company in 2020. The recovery flow has no fallback. The workspace is now a digital ghost ship.
MFA bypass codes are documented in the runbook. The runbook is in Confluence. Confluence requires MFA.
Push notifications during dinner, during the movie, during the school recital. The login is somebody else's at this point. The push is the only one that still treats me like a primary user.
Approved a push at 3am while half asleep. Spent the next morning trying to remember which service I had logged into. The service has no audit log I can see. The login was either me or it was not.
The push prompt said sign-in attempt from Frankfurt. I am not in Frankfurt. I have never been in Frankfurt. I declined. The next prompt said sign-in attempt from Frankfurt. Frankfurt is now part of my login routine.
Geographic anomaly blocked my login from the city I live in. Approved my login from the airport in a country I have not visited. The model has opinions and the opinions are wrong in directions that cost time.
Step-up authentication asked for MFA on a session I had just MFA'd. The first MFA was for the login. The second was for the action. The third was for the confirmation. The fourth was for the report on the confirmation.
Adaptive MFA decided to trust this device. Adaptive MFA decided to trust this device on every subsequent login except the one where I needed it most.
Why the second factor still writes the first joke
MFA is the single most effective control most people will ever add to an account. CISA puts it at the top of the basic cybersecurity list. NIST 800-63B builds an entire grading system around the strength of the second factor and the path to recovery. The math is uncontested. The implementation is where the comedy lives. SMS is still deprecated and still the default at half of the banking sector. Authenticator apps still lose seeds on phone migration. YubiKeys still fit in coat pockets that get put away for a season. Push prompts still arrive while the phone is in the other room.
The fatigue attacks of 2022 changed the genre. Number matching was added to most major implementations after attackers learned to spam push prompts until somebody tapped the wrong one. Number matching is better. Number matching also moved the action back to the phone, which is still in the other room. The next generation is passkeys, which solve phishing and lockout in equal measure, with the lockout side trending in the wrong direction for anyone whose sync ecosystem does not match their device ecosystem.
The reason the joke keeps writing itself is the same reason the password joke writes itself. The control is correct. The deployment is partial. The recovery path is somebody else's problem. And the second factor is, almost by definition, the factor that is missing exactly when you need to log in.
See also
- 45 Password Manager Jokes for People Who Forgot the Master Password: the vault behind the second factor.
- 50 Password Policy Jokes for People on Their 17th Reset This Year: the first factor the second factor is bolted onto.
- 50 Sysadmin Jokes Only Sysadmins Truly Appreciate: the person doing the MFA reset on a Saturday.
- 45 Corporate Training Jokes for Mandatory Compliance Modules: the awareness module that mentioned MFA fatigue once.
- 50 Microsoft Teams Jokes for People Stuck in the App: the SSO that pops a push mid-meeting.
- 50 SOC Analyst Jokes for People Triaging the Same False Positive: the team watching the impossible-travel alert your phone just generated.
- 55 Return to Office Jokes for People Whose Badge Still Worked: the office where the auth app is on the phone you left at home.
Sources
Authoritative references this article was fact-checked against.