TechSpot

Two-Factor Authentication: Common Practices and Where to Enable It

By dkpope
Sep 21, 2016
Post New Reply
  1. When I mentioned to a few friends that I was writing a feature about two-step authentication, the typical response was an eye-roll and "Oh, that annoying thing?..." Yes, that annoying extra step. We've all had that thought when we needed to get a code before we could log in or verify our identity online. Can I please just login without a barrage of requests?

    However, after much research about two-factor authentication (often referred to as 2FA), I don't think I'll roll my eyes at it anymore. Let's get to know two-factor authentication a little better, the different options out there, and dispel some myths surrounding that "annoying" extra step.

    Read the complete article.

     
  2. Arris

    Arris TS Evangelist Posts: 4,606   +287

    Having implemented 2FA for secure data systems I can say that it can be a pain for users but does add protection. Particularly with systems where the second factor is provided with a short period of validity. For instance, a third party system I integrated with my company's system issues a OTP (one time password) over an app which has a minute or two of validity before it expires, before generating a new one. This means that even if something is intercepted over supposedly secure channels, the window for someone to use it with the other factors (username and standard password) is small.

    To state that 2FA is flawed is probably not the best way of phrasing it. Perhaps saying it isn't perfect, that it isn't foolproof or 100% secure. "Flawed" when discussing software or technology suggests that there is a fundamental imperfection with the whole concept, or a poor implementation that causes the technology to fail. If 2FA is to be labelled as "flawed" what does that make single factor authentication?

    2FA that uses RSA tokens or even the likes of Battle.net authenticator to log into World of Warcraft really need you to have access to the physical token to gain access making it, in my opinion, one of the most secure types. Also the systems that use biometric methods for the second factor are inherently more secure (other than the laughable face recognition systems that can be circumvented with a picture of the person's face).

    There is often nowadays a tug of war between convenience and security. If you increase the security to a level where it is close to impenetrable then it will also be edging towards unusability. Often compromises to the security are made if it's something that users have to interact with frequently, obviously factoring in the critical nature of the data they are going to be accessing.
     
    Last edited: Sep 27, 2016
    petert, jobeard and Julio Franco like this.
  3. davislane1

    davislane1 TS Evangelist Posts: 3,540   +2,337

    To read this comment please enter the six digit security code sent to your mobile phone in a comment below.

    If you did not receive a security code, please refresh the page and try again.
     
  4. theruck

    theruck TS Booster Posts: 104   +20

    If 2FA is not annoying I am sure there will be 3FA coming soon
    2FA is a joke. it says that my super secret password is not safe to put in on computers so somebody else has to send me another password which does not conform to any password best practice policies and rules to be it safe.
    basically it's like secret questions without knowing answers and relying that the secret answer comes to me from a magic provider of secrets.
    pathetic...
     
  5. davislane1

    davislane1 TS Evangelist Posts: 3,540   +2,337

    ^^^ This is that guy at the gym who thinks the combination lock on your locker should be replaced with a Brinks safe inside an armored security truck inside a bank vault inside a military compound (possibly on the moon) to protect your keys.
     
    liammac002, Burty117 and Arris like this.
  6. RustyTech

    RustyTech TS Guru Posts: 865   +434

    It sounds like you have NO idea what 2FA is. The "stupid" and "not best practice" code you get on a SEPARATE devise is in ADDITION to your super secret best practice password that you already use; and not just in addition, but also from a different source/device.
    It's like triangulating your exact position using multiple towers, except this is using multiple devises - for your identity.
    Do you know how hard it's for a hacker to mimic this? obviously you don't.
     
  7. bexwhitt

    bexwhitt TS Addict Posts: 291   +55

    The problem with Google Authenticator is when you change phones you have to unlink and then generate new keys or you can end up screwed.

    Authenticator plus solves that by saving the keys encrypted to your google drive or wherever. Its $2.99 but you can set pin or fingerprint protection too which adds extra security.
     
    mbrowne5061 likes this.
  8. mbrowne5061

    mbrowne5061 TS Evangelist Posts: 332   +131

    THAT is actually really good to know - I am planning on changing phones soon, and it never even occurred to me.
     
  9. robb213

    robb213 TS Addict Posts: 315   +93

    Use Authy by Twillo instead. It's free, updated, has backups, and a fine UI. It's literally the case that there's no point in paying for a 2FA app like above.




    Side note, NIST reccomended deprecating SMS 2FA a bit ago. Wish Yahoo would drop it and allow people to use 2FA OTP generation like Google, Microsoft, Dashlane, etc.
     
  10. bexwhitt

    bexwhitt TS Addict Posts: 291   +55

    It depends on what you want, I for one am not comfortable in giving my keys to a third party that could get hacked or more likely stop supporting it.
    As my google account as money I have to spend on something from surveys I have to spend it on apps or music or lose it, my point is google's app will leave you high and dry if the lose or break your phone so use something else that will back up your keys
     
    Last edited: Sep 23, 2016
  11. mbrowne5061

    mbrowne5061 TS Evangelist Posts: 332   +131

    I was talking about just Google Authenticator. I rarely pay for app, and only if it offers a significantly improved experience over any free version (and is an App I use often - and not many services need 2FA, and lack their own built-in solution)
     
  12. robb213

    robb213 TS Addict Posts: 315   +93

    It's your money, so I'm not one to say what you do with it. I get that you gotta spend it or lose it though ;)

    However, Google is a third party as well and since the data is stored online there's always the possibility of it being broken into. Twillo is also a large corporation that markets to enterprise needs, so Authy wouldn't be going away anytime soon. I feel safe giving this information to either Google or Twillo, as they are both reputable here.
     
  13. bobc4012

    bobc4012 TS Enthusiast Posts: 50   +27

    What do you do when one has no cell phone nor tablet? Can't provide a phone number nor a fingerprint.
     
  14. osa1011

    osa1011 TS Rookie

    As the article states, you can use a physcial authentication key which you plug into the USB port of your keyboard.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...