I’ve been finding it quite difficult to find encryption software that also uses some form of 2FA. I wasn’t sure why, but something tells me replies from the AxCrypt employees paints a good picture of the industry’s current mindset.
It seems AxCrpyt is only looking at the surface of 2FA when it comes to encryption. To them, a single key/passphrase is the only thing that matters. If you have that, then clearly the contents can be decrypted (as that is how encryption/decryption works afterall).
But why limit yourself to such a basic old-school technique as the only option? Why not double-encrypt the archive with a 2FA layer if the user so desires?
Assuming an encrypted archive is only intended to be accessed by a single person, why not take advantage of the vast array of 2FA options available? I mean let’s face it, unless somebody is going to be decrypting/encrypting the same archive over and over and over on a daily basis, chances are the complex password (that they should be using) will be easily forgotten. And more than likely, to make they they don’t forget the one and only password that unlocks everything, they will make a copy of it somewhere on their computer or in printed form. What if the person thinks “I’ll put this super secure password on my grocery list for May of 2010 in the Galaxy folder inside a Dog folder hidden in a .jpg file. Nobody will figure that out!” Then two years later, they completely forget the password. And since they tried so hard to secure that password, they completely forgot where they put it on their computer.
Why not give the user another option/layer of security before being allowed to see the actual contents of the encrypted file? Heck, with things like Yubikey nowadays, there is a heap ton of different 2FA options available (including 1FA that just use the physical key alone… ie U2F. The USB key can unlock everything without ever having to remember a complex password). Should everybody be limited to only one option of authentication before decrypting a file/archive via a memorized password only?
People constantly forget passwords when they use something different for every website/logon, it’s why many of us use password managers. We want the security of having a unique and complex password for every site, while at the same time still having an easy way to access them all with a single memorable master password (combined with 2FA, ideally).
Stop living in the past and think about giving people more options. 2FA could be implemented in encryption software as another layer of security. Just use your imagination. The software could be a gatekeeper with 2FA via 2-step encryption, all offline too.
Either way, more options are better. Encryption via a password to decrypt contents of a file only may be the easiest and simplest option, but it is not the only option. Layers are key. One extra layer can potentially keep the wrong person out where single layer security would let them through without hesitation if they met just one requirement. If somebody had a key to your house that you didn’t want in your home, would it not be ideal to at least have one extra requirement before they could open your door?