The start of 2014 provided a good prompt to get round to doing something I’d long known was wise but hadn’t quite sorted: switching to using two-factor authentication on as many of my online services as possible. (It’s also goes under a variety of other names, such as two-step security.)
Two-factor authentication’s name has the opposite problem to that of cookies. For two-factor authentication, the problem is that a boring name hides a simple, important benefit. Call it ‘turning on decent security’ and it suddenly sounds rather more useful and that sort of thing you really should do. Two-factor authentication’s boring technical name hides the benefits. By contrast, cookies have a cute name that hides their dangers. Call cookies ‘online activities monitoring and recording files’ and suddenly people would be less willing to click ‘yes’ to all those cookie messages.
The idea behind two-factor authentication is simple: in order to access an online service you need not only your password but something else as well (a second ‘factor’, hence the name). Online banking often does this in a way that annoys. No surprise that free services heavily reliant on making things easy for users do rather better, especially as they don’t want to spend money on sending you plastic calculator devices. Most commonly, you provide your mobile phone number, with the second factor being a special password code texted to your phone when you login. That mean you need to both know your password and have your phone to login, protecting you against – for example – a hack of a password database.
Discovery number one on implementing my New Year’s resolution has been how pleasantly straightforward it has been to turn on two-factor authentication on Google, Facebook, LinkedIn, MailChimp and more.
I’ve only run into one problem, with LinkedIn’s two-factor authentication not supporting the Outlook social connector plugin.
Discovery number two has been how much variation there is in exactly what you are offered. Most obviously, many implementations let you say ‘remember this device’ and then don’t require the second factor on subsequent logins from the device. That’s handy. It may lower the overall level of security but it also makes it convenient enough to use widely – and better widely used decent security than unused tighter security.
What would be really helpful is if a common system for describing such variations evolved, so that you can quickly understand if two-factor authentication systems support options such as remembering devices and providing backup keys in the event of the loss of your phone.
Discovery number three has been just how reliable and fast the text messages used by two-factor authentication systems are (even when, ahem, I did some testing close to midnight on New Year’s Eve).
So far them, so good. And if you haven’t given it a try yourself do. There’s a handy set of instructions on how to get started on many of the most common services over on LifeHacker.