Journalists, Government Hacks, and two factor authentication

I noticed yesterday multiple journalists I am following asking every other journalist to enable two factor authentication on their accounts in fear of a government hack.

I think it is less secure to have two factor authentication on your account than not having it. Let me tell you why.

When you have a strong password, for the government to hack you they have to have a malware installed on your computer/mobile, while you can’t avoid that unless you are too careful, they can’t try every combination of passwords on Gmail or any other service until they know your password.

When you enable two factor auth, your mobile number also acts as a recovery mechanism to change your password. The problem with this is that the government can write your email, say they forgot the password so you get an SMS, they intercept the non-encrypted/plain text SMS from the mobile operator network, and Bingo! They got access to your account.

There have been reports that the Egyptian government is doing this. I also have a personal friend of mine who got an email from Facebook that someone tried to reset his password, upon tracing the IP Facebook sent him, it turned to be the Egyptian national security HQ in Alexandria.