Essays on Technology and Culture

The Two-Factor X-Factor

Another day, another data breach. This time it’s eBay, but it’s happened with pretty much every major Internet service. If only password hygiene was easier for normal people to grasp. It wouldn’t solve the problem of hackers getting user data, but would help contain the potential damage to user accounts. Even an encrypted list of passwords can be cracked by a dedicated hacker, and lists of common passwords, and their encrypted versions can be had easily online. Once again, using the same password in multiple place is just begging for a world of hurt.

It’s why I’m glad to see two-factor authentication rolling out in more places online. I use two-factor authentication for a lot of the sites I use every day, from Google, to Facebook, to the backend of this very site. The premise is simple: you have your username, and your password, but you also have a second code you have to enter when you log in that is tied to a physical piece of hardware on your person. If those codes match, you’re in. This means that someone trying to break into your accounts needs to have both your credentials, and that piece of hardware to get in. It’s not a new idea; security and financial services have long had dedicated “dongles” that provided codes, but now we all have smartphones, or at least flip phones with texting plans. Two-factor! It should be a slam dunk, right?

The biggest problem is crappy implementation. If, for example, I’ve read that if you keep logging into your two-factor authenticated Google account from the same computer, Google assumes you can trust it and stops asking for your code. [1] It’s a terrible assumption if, say, you’re homeless and use the same library computer to access your email. Or, if your two-factor code is being sent by an insecure method, say SMS or voice message, it’s not hard for a dedicated hacker to snag it before you do. If a server is still affected by the Heartbleed bug, then two-factor authentication can be bypassed, too. For services that use a short PIN (Apple, for example), a dedicated hacker can even just brute-force it.

Two-factor authentication is also a pain in the ass to set up with many services. Setting it up for a new service is the only time I ever use my phone to scan QR codes, which is a pain on its own. There’s also creating backup login codes to store, linking phone numbers where you’d prefer not to have them [2] , or installing crappy apps on your smartphone you’ll never use for other purposes. These are all things that can be overcome through a little diligence, and a little vigilance on the part of the implementers, though. The mainstreaming of biometrics can also help make two-factor even more secure. Even if the bad guy has my phone, they’d have a hard time getting into my authenticator app without my thumbprint.

It’s been said before: “Easy security is no good, good security is not easy.” We’ll never be rid of the threat of bad actors trying to get into our personal data, but there’s enough people working on the problem that the roadblocks are going to get stronger in the future. By making good security, if not easier to set up, at least harder to avoid, we move to a safer online future. Two factor will be part of it, but it’s going to take some time. Certain people will always want to use “12345” as the password on their email account, but the sooner we can mitigate the effects of that, the better off we’ll all be.

  1. I was unable to find where I read this, so take it with a grain of salt. I’m sorry.  ↩
  2. In fact, while I was writing this, Twitter’s SMS based two-factor authentication was reported as compromised for AT&T phone numbers!  ↩