Two-Factor Authentication: An Idea Whose Time Has Come
Passwords: Everyone hates them. They were a stopgap measure created in a more innocent age, when the number of connected systems on the Internet numbered in the hundreds rather than hundreds of millions. For the vast majority of web services and mobile apps, as few as 16 bytes stands between miscreants and your vital data. This is totally inadequate in the era of cloud-based rainbow table brute-forcing that is available to crooks for pennies or even for free.
Any system on the Internet can attempt to connect to any other system, by design. The NSA can spy on your conversations legally under Section 215 of the Patriot Act. All of this connectivity means that people in China, Kazakhstan or Kalamazoo can try their luck at guessing the username and password to your online banking account. Combined with peoples’ propensity to reuse passwords, this means that they only have to penetrate one poorly defended server, steal your hashed password and then compare it to the rainbow table to determine if you used any common dictionary words. And if you did, and you used the same username, they’re in!
What can be done about this? One solution used increasingly in industry is two-factor authentication: i.e. something you have, and something you know. This method means that even if hackers steal your password from a server, there’s still another hurdle for them to get through before they take over your account on other servers. Early implementations used a dedicated hardware keychain token with an LCD screen displaying a pseudorandom number which changed every few seconds. However, they were easily damaged by being carried all the time, were expensive and were just one more thing to carry.
The more modern version of two-factor authentication is software on a smartphone. A leading example is Google Authenticator which is available for Android and iPhone, and even has a web-based version that can be used via non-smart phones via text-message or voice call. It provides a unique token for you to use on each login, along with your password. Google Authenticator is being adopted by an increasing number of web-based services including Gmail, Amazon Web Service, Facebook, Dropbox and Linode, to name a few.
No security method is perfect. Obviously if someone steals your phone from you, they will have the authenticator and access to your email from which they can reset your passwords. This is why it’s a good idea to use a longer than 4 digit PIN if available. You might also want to keep the option of remote wipe in mind if someone somehow compromises Google Authenticator itself, either on your phone, or the web-based service. It’s an extra layer of protection that prevents drive-by “doornob-turning” by casual attackers and largely ameliorates people using weak passwords on multiple servers.
It is an idea whose time has come.