Two-Factor Authentication

Posted on January 9, 2014 by SQLAndy

Something you have and something you know – that’s the heart of two-factor, sometimes called multi-factor, authentication. RSA was for years the most common. You use either the key fob hardware device or the software app to get a ‘code’ that you enter in addition to your ID and your (hopefully) strong password. The code changes every minute. Assuming the host site/app correctly implements it a stolen password isn’t enough for your account to be compromised. More recently the cell phone has become the second “factor” as a device you typically always have with you. I’ve been using Google Authenticator on my Android phone and it seems to work reasonably well. Visit a site that supports two-factor, enable it, then use the phone app to scan the QR barcode and finally enter the code that shows up on the phone. It allows you to mark certain devices as trusted, meaning that once you authenticate from say your work computer you only need your ID/password on that device going forward. The initial set up isn’t bad, I think the biggest downside (aside from having to lookup the code to login!) is when you get a new phone. I’ve read – but not tried – that you can save the images of the QR codes to make it easier to set up again. I’m not recommending that, but if you do, secure the images well.

Before you get started, remember that security is always about risk management – you can use two factor everywhere it’s available, or decide to only use it in places you consider high-value/high-risk.

There’s a small list on Lifehacker, and a more extensive list here of sites that support two-factor. Give one a try and see what you think.

8 thoughts on “Two-Factor Authentication”

Jonathan Allen says:

January 9, 2014 at 10:01 am

Google Authenticator is the one thing that is making me keep two phones. I have a Windows Phone from work that I could use for everything except my 2FA – there seems to be no similar app for Windows Phone. As you say, I use it where-ever possible and find it a simple enough process that it does not affect my normal processes.

LikeLike
Frank Ramage says:

January 15, 2014 at 10:55 am

>> there seems to be no similar app for Windows Phone.

http://www.windowsphone.com/en-us/store/app/authenticator/021dd79f-0598-e011-986b-78e7d1fa76f8

LikeLike
1. admin says:
  
  January 15, 2014 at 11:37 am
  
  Thanks Frank!
  
  LikeLike
Jason Carter says:

January 16, 2014 at 11:21 am

As always, thanks for the action provoking blog post. Since your post, I have been going through my online identity and adding 2-Factor Authentication where available. One thing that would be nice in this realm is consistency. I can use Google Authenitcator against both my hosted Gmail Accounts, LastPass and my blog, where as Twitter and LinkedIn both want to text me a code, and Facebook wants to use its App to generate the code. Its definately something to get used to, remembering where the auth code will come from, but in the grand scheme of things, its a minor annoyance compared to getting my accounts compromised.

Another thing to think about with Google Authenticator, unlike the RSA App I have for work authentication, there is no authorization needed to use the app. With the RSA App, I have a private 4 didit key, which is used in generating my token, whereas someone could steal my phone, open up Authenticator and take control of nearly all of my accounts, so I guess physical security of my phone is now just as a big of deal, another thought to add to the security conversation.

LikeLike
1. Andy Warren says:
  
  January 16, 2014 at 11:38 am
  
  Jason, I’m glad you’re giving it a try. Agree consistency would be nice!
  
  I haven’t dug far into the disaster scenarios and I need to. I have my phone protected with a gesture – convenient if not high security, but something, and I have the ability to do a remote wipe. Two factor aside, losing a phone can be a very big deal if you think about the total amount of information on there that could potentially be mined. More of a concern to me is the pain that losing the phone will cause. How long will it take me to get back into those accounts? Being locked out of email alone could be pretty painful.
  
  LikeLike
  1. Jason Carter says:
    
    January 16, 2014 at 11:59 am
    
    Losing a phone would be bad, and I likely need to look into my remove wipe options. Funny that you talk about the phone screen lock, as up until the time of your article I didn’t even have a gesture on my phone, a simple swipe and you could own my phone and data. The whole concept of thinking of personal information security lead me down the road of thinking of keys, a key to my phone, in this case I found information on how to use an NFC tag as a password/key. I now have a password, but also an NFC tag on my keyring that when activated will unlock my phone. Today actually, I brought some extra tags to work to attach to my desk so I can have a semi-permanent key attached to my primary workspace, so we’ll see how that experiment goes.
    
    LikeLike
  2. Andy Warren says:
    
    January 16, 2014 at 2:27 pm
    
    Curious to hear. One thing I like on the Moto X (not sure if all of the KitKat phones) is that you can tell it to stay unlocked as long as in range of a bluetooth device you’ve marked as trusted. Kinda opposite of deliberately unlocking at work.
    
    LikeLike
Frank Ramage says:

January 16, 2014 at 11:36 am

>> whereas someone could steal my phone, open up Authenticator and take control of nearly all of my accounts

Yeah, but we all password protect out phones, right? 😉

LikeLike