Childhood Dream: 2FA for Fast Food Reward Points
Why is this Security meme funny?
Level 1: A Secret Handshake for French Fries
When you were little, you maybe dreamed of becoming an astronaut, a firefighter, or a dinosaur. Nobody dreamed of this: standing in line, phone out, waiting for a text message with a secret number, typing it in carefully — all to prove to a hamburger restaurant that you are really you, so it will give you the sticker points it owes you. It's funny because it's said in the proud voice of someone announcing their life's dream, and the dream turns out to be the most boring chore imaginable. The grown-up world took "collect ten stamps, get a free burger" and added a secret-agent ritual to it.
Level 2: What 2FA Actually Does, and Why It's on Your Fries
Two-factor authentication (2FA) means proving identity with two different kinds of evidence: something you know (a password) plus something you have (your phone, receiving a six-digit one-time code, or running an authenticator app). It exists because passwords leak constantly — people reuse them, and breached lists circulate — so the second factor stops an attacker who only has your password. A loyalty program is a points ledger: spend money, accrue points, redeem for food; since points equal value, accounts become theft targets, which justifies the auth. The app-for-everything pattern is the surrounding economics: chains price items cheaper in-app to drive installs, because an installed app means notifications, tracking, and repeat business. Your first encounter with this stack as a junior dev is usually instructive — you realize the burger app has OAuth flows, token refresh logic, and fraud heuristics, and some team of engineers stands up on-call rotations for it. The meme is what those engineers feel during sprint planning.
Level 3: Threat-Modeling the McNugget Ledger
The tweet from "youth code orange" (@thamosdeaf), framed against a photo of golden arches on a teal facade, is deadpan in a way that rewards close reading:
"As a boy I always knew I wanted to grow up and use two factor authentication to access fast food reward points on an app"
The sentence structure is the joke — the soaring childhood-dream cadence ("As a boy I always knew...") resolving into the most bathetic noun phrase modern life can produce. But for practitioners, the satire cuts at something specific: security ceremony decoupled from asset value. Two-factor authentication exists because passwords alone fail against credential stuffing and phishing; it's genuinely critical for email, banking, and source control. The comedy is that the same ritual — install app, create account, receive SMS one-time code, type it in before it expires — now guards a ledger of burger points. Somewhere a real threat-model meeting concluded this was proportionate, and here's the thing: they weren't entirely wrong, because loyalty points are fungible value and points-theft fraud genuinely exists. The absurdity isn't the security; it's the upstream decision that buying fries should involve an authenticated, server-side account at all.
That upstream decision is the deeper target — the pattern the community calls enshittification and "there's an app for that" gravity. Fast food chains push app-exclusive pricing because the app converts an anonymous cash transaction into a tracked, marketable identity: purchase history, location pings, push-notification reach. The reward points are the bait; the data relationship is the product. Once that account holds stored payment methods and redeemable value, the security team is obligated to bolt on 2FA, session management, and fraud detection — and so, link by reasonable link, a cheeseburger acquires an auth stack that would have been overkill for a 1999 corporate VPN. Every individual decision is defensible. The end state is a man standing in a parking lot typing an SMS code to claim fries, living a future no child's crayon drawing ever depicted. The friction isn't a failure of UX design; it's the successful output of an incentive chain where your patience is the resource being spent.
Description
A tweet by "youth code orange" (@thamosdeaf) overlaid on a photo of McDonald's golden arches mounted on a teal building facade. The tweet reads: "As a boy I always knew I wanted to grow up and use two factor authentication to access fast food reward points on an app". The deadpan sarcasm targets the over-engineered enshittification of everyday life: buying fries now requires an account, an app install, an SMS code, and a loyalty-points ledger - enterprise-grade auth ceremony wrapped around a cheeseburger, a future no child dreamed of
Comments
3Comment deleted
Somewhere a threat model meeting concluded that McNugget points are a higher-value target than my bank account's SMS fallback
I'm confused. Is there a fast food app that requires 2FA to login, or do they actually mean required oauth2 because they don't want to deal with actual login credentials directly? Wouldn't you want 2FA specifically to prevent 3rd party data leaks from giving someone access to things like your home address (assuming the app does delivery services) Comment deleted
I'm assuming the meme is referring to https://mcdonalds.com.mt/two-factor-authentication/ but tbh skill issue. Users obviously can't be trusted with their own security, as history shows. Comment deleted