Is this form of two-step authentication really the right, or only, direction for…

By | April 24, 2013
Is this form of two-step authentication really the right, or only, direction for future security?

Let me ask something: do you use two-step authentication? Or is it too much hassle for the extra security? And to find a universal solution: in many cases (of the not-so-outspoken digital non-natives, and poorer families), mobile devices are shared between family members. Is there any good secure solution if you don't have a personal device, but only shared ones? Already, online banking is a pain since everyone has to go to the 'Auth Device Corner' to retrieve the shared device to make a transaction. It is not a satisfactory general solution.

One alternative may be the 'tan card' solution, a printable matrix of random characters (1 to 5 letters in each grid Element) which can be copied and stuck in your wallet as well as at home, from which a random set of three grid elements is requested as the second step in authorization. Perhaps less geeky, but it does get around the 'but xy has the auth generator now' problem. And it's just as insecure as when someone stole your auth device – you can encrypt it with a simple cypher algorithm that you can mentally decode on the fly, if you want to 'password-protect' that piece of paper in case your wallet gets stolen.

Reshared post from +Jon Mallin

Twitter doing internal testing on a 2-Step authentication feature. 2-Step is the issue I raised earlier today when I learned that the AP was hacked.  Of all sites I can think of, it would have made sense for Twitter to have implemented 2-Step by now.

(Wired's headline is an oversell of this story. Ironically, the post is written by Matt Honan, the writer who shared his tale of the "epic hack" he suffered.)

Twitter Now Has a Two-Step Solution | Threat Level | Wired.com
Twitter has a working two-step security solution undergoing internal testing before incrementally rolling it out to users, something it hopes to begin doing shortly, Wired has learned.

7 thoughts on “Is this form of two-step authentication really the right, or only, direction for…

  1. Lionel Dricot

    +Tony Lawrence > My solution is too keep a clear step-by step guide on what to do in case I lost everything. This step-by-step guide also contains the one-time password.

    Then, this guide is encrypted and stored somewhere on an account that doesn't require 2 step authentification.

    The risk is minimal because even if someone could access this guide (which requires to know where it is, to crack my account then to crack the encryption), he would still be nowhere without my passwords.

    Alternatively, instead of storing it online, you could print it and put it in multiple place (bank vault, your parents house, etc)

    Reply
  2. Tony Lawrence

    I use 2-step where offered, but am concerned about the edge cases where I could lose everything at once (fire in the house, run out without phone, now have no authenticated device, and others)

    Reply
  3. Lionel Dricot

    I use Google Authenticator on Google, Dropbox and multiple Bitcoin related website. I also use 2 factor auth with my bank (which had its own device).

    And yes, I believe it really worth the hassle : I always have my phone with me, meaning that I don't have to care about the device and, anyway, those website only require you to log in once a day.

    The only harder point is that you have to prepare well for the case your phone is lost/stolen/broken.

    Reply
  4. Bryana I

    I use Lastpass with a Yubikey nano. I would love it if Google and my Bank would add Yubikey support. The nano is tiny and I don't even notice it's there. The only problem is that there's no easy solution for my cell phone…

    Reply
  5. Paul Hosking

    +Danial Hallock too many people living in the past.  I do use 2-factor where possible (for the most part).  And I have a fist-of-fobs to prove it. 😛

    (snide side comment: at least the author didn't start repeating his "epic hack" experience yet again as 2-factor would not have helped him)

    Reply
  6. Danial Hallock

    Two step authentication isn't the future; its the present.

    The fact that it is so widely underutilized that people think its the future is borderline absurd.

    The future would be behavioral biometrics.

    Reply

Leave a Reply

Your email address will not be published.