Posted 27/Aug 2012 at 13:51
by in Science & Tech read by 112 people

Two factor authentication: Pros and cons

Google has had it for some time now. Dropbox announced it today. Amazon Web Services uses it. Many corporate VPN solutions use it. Internet banking applications have been using it for a very long time. And in general: everything that's seriously worth protecting should absolutely use it.

Two factor authentication.

The idea is pretty simple. You use your password to login to an application, and after that first step the application asks you to enter some code. You would typically have this code on a piece of paper (low tech solutions), a little device that shows numbers, an SMS or a mobile application. With the Google Authenticator, AlterEgo and similar solutions from Amazon and others it's especially the last one that's getting more and more widespread.

And it should.

Pro: Security

Let's start with the biggest reason to use it: It makes applications a lot more secure. Password guessing is relatively easy, but password and single use passcode guessing is not.

As long as the implementor doesn't allow more than just a few attempts.

Pro: Easier passwords

Now, don't get sloppy, but some would say that you can allow yourself to use a slightly easier password because of the extra layer of security. Especially if my recommendations (see below) are being followed.

Con: A hassle

It takes a few moments to setup, but you still need to do it. And it requires that you, whenever you want to login, have access to the physical thingie that shows the passcode. This is probably why it's getting more popular for consumer products with the rise of the smartphone.

Con: It's on your phone

But that also introduces a layer of insecurity. Malicious apps might attempt to steal your stored secrets. Or theives might steal your phone when you're on vacation. Until a few years ago, the biggest problem you had when your phone got stolen was that you couldn't call home so easily. Noweadays, your typical smartphone contains all but the physical keys to your door.

And since you use your phone to get online, you probably won't be in time to get online and invalidate your precious login secrets.

Recomendation to users

Take a second to think about this, and perhaps consider getting an inexpensive device that runs Android or iOS and that as your dedicated two factor authentication device, rather than using your actual phone. Since you won't be flashing that on the street every time you recieve a phone call, it's less prune to theft.

Recommendation to implementors

But the webapps that currently implement it also have some steps to take. For example, most implementations give the user feedback regarding the correctness of their password before the passcode challenge is presented. I dare to state that brute force attacks would be a lot less effective if this feedback is postponed until after the passcode challenge.

After all, the attacker would have to guess two secrets correct to find out if either one is correct. 

Recommendation to app builders

Come up with some kind of secure way to backup the secrets. People change phones constantly, and storage memory corruption is a realy problem. The web is buzzing with people asking for backup methods, and with some very unsafe recommendations such as rooting your phone. Recommendations that always include: keep this information secret.

Well, if users could be trusted with keeping their own digital secrets a secret, we wouldn't really need two step authentication in the first place.

I suggest an export method, with an encrypted file that can be decrypted with a specific decrypt app. Login to that app could be based on a password and voice recognition. 

You might also want to explore these likealots