Legal Risks of Forced 2FA Under South African Constitution
South African banks and agencies mandate 2FA without opt-out, risking legal challenges over constitutional and POPIA rights
Across South Africa’s digital landscape, a growing number of companies and government agencies are enforcing mandatory Two-Factor Authentication (2FA) as a baseline security measure. While ostensibly designed to protect users, this compulsory imposition raises significant concerns around personal freedom, constitutional rights, and compliance with data protection laws such as the Protection of Personal Information Act (POPIA).
This article exposes how entities like Capitec Bank, SARS eFiling, Ozow, PayFast, and others mandate 2FA without meaningful user choice—a practice that not only undermines customer agency but may also contravene legal standards protecting individual rights.
South African Companies Mandating Two-Factor Authentication
Several major players in South Africa have institutionalised mandatory 2FA across their platforms:
-
Capitec Bank: All online banking customers must register for 2FA, choosing between the Capitec Mobile App or a physical hardware token. Transactions require entering a PIN or biometric confirmation alongside one-time passwords, making 2FA compulsory for every internet banking account.
-
SARS eFiling: Since November 2024, SARS enforces 2FA for all individual tax profiles, requiring users to enter a one-time PIN sent via SMS or email after standard login credentials.
-
Ozow: Every EFT payment through Ozow requires bank-level 2FA authorisation, either via an app prompt or SMS OTP, without exception.
-
PayFast: Multi-factor authentication is mandatory for all merchant accounts, requiring time-based codes generated by authenticator apps such as Google or Microsoft Authenticator.
These institutions’ security policies explicitly preclude opting out, embedding 2FA as a non-negotiable barrier to accessing critical financial and governmental services.
Legal Concerns: Constitutional Freedom of Choice
The enforced nature of 2FA practices directly clashes with constitutional protections enshrined in Section 10 and Section 14 of the South African Constitution, which guarantee the right to dignity, privacy, and freedom of choice.
-
Freedom of Choice and Personal Autonomy: Forcing citizens to submit additional personal data or security credentials without meaningful consent places individuals under duress. The constitutional principle of dignitas implies respect for personal agency, which forced security measures violate by removing user discretion.
-
Right to Privacy: Section 14 explicitly protects individuals against arbitrary interference with privacy. Mandating 2FA—often involving biometric data or device-generated codes—without a risk-based approach or opt-out options infringes on this right by expanding data processing beyond necessity and proportionality.
This unilateral enforcement undermines the principle that security measures should be balanced, context-sensitive, and subject to individual risk assessments.
POPIA Analysis: Non-Compliance with Consent and Proportionality
The Protection of Personal Information Act (POPIA) further complicates the legality of forced 2FA:
-
Section 11(1)(a) and (3): Consent and Objection Rights
POPIA requires that personal data processing be based on informed consent or lawful justification. Section 11(3) explicitly empowers data subjects to object to processing based on legitimate grounds. Forcing 2FA credentials as mandatory, without providing opt-out mechanisms or risk-based alternatives, violates these provisions by negating genuine consent and overriding valid objections. -
Section 11(1)(b) and (c): Contractual Necessity and Legal Obligation
While companies cite contractual necessity or legal obligations as bases for processing, these claims are contestable when the imposed measures exceed what is reasonably necessary. No clear legislative mandate compels 2FA for all customers irrespective of their security posture, making blanket enforcement legally tenuous. -
Section 19: Accountability and Reasonableness
POPIA mandates proportional and reasonable safeguards tailored to actual risk. Enforcing one-size-fits-all 2FA disregards the principle of risk-based assessment and excludes individuals with superior or alternative security measures. This blanket approach introduces new risks—such as potential loss of access, increased attack surfaces via TOTP vulnerabilities, and systemic lockouts—contradicting the Act’s intention.
The Broader Implications: Institutional Overreach and User Disempowerment
The growing trend of forced 2FA by financial institutions and government agencies reflects a worrying shift towards institutional overreach and erosion of individual rights in the digital sphere. By eliminating meaningful choice, these policies treat users as mere data points subject to a uniform security mandate rather than autonomous agents capable of managing their own risks.
This undermines not only privacy and consent principles but also sets a dangerous precedent for future digital governance, where customer agency and constitutional freedoms may be subordinated to corporate or bureaucratic convenience.
Questioning the Cost of “Security”
While the protection of personal and financial data is undeniably crucial, it is equally important to scrutinise the methods by which security is enforced. South Africans deserve transparent, justifiable, and choice-respecting security practices, not blanket mandates that sidestep constitutional rights and POPIA safeguards.
Are companies like Capitec, SARS, Ozow, and PayFast truly acting in the best interests of their users, or are they simply prioritising operational ease at the expense of fundamental freedoms? What mechanisms exist to hold them accountable for overstepping legal bounds?
These questions must be urgently explored by regulators, policymakers, and the public to prevent digital coercion from becoming the norm.
