Two-factor authentication: my technological New Year’s resolution

Letter G being pressed on a keyboard

The start of 2014 provided a good prompt to get round to doing something I’d long known was wise but hadn’t quite sorted: switching to using two-factor authentication on as many of my online services as possible. (It’s also goes under a variety of other names, such as two-step security.)

Two-factor authentication’s name has the opposite problem to that of cookies. For two-factor authentication, the problem is that a boring name hides a simple, important benefit. Call it ‘turning on decent security’ and it suddenly sounds rather more useful and that sort of thing you really should do. Two-factor authentication’s boring technical name hides the benefits. By contrast, cookies have a cute name that hides their dangers. Call cookies ‘online activities monitoring and recording files’ and suddenly people would be less willing to click ‘yes’ to all those cookie messages.

The idea behind two-factor authentication is simple: in order to access an online service you need not only your password but something else as well (a second ‘factor’, hence the name). Online banking often does this in a way that annoys. No surprise that free services heavily reliant on making things easy for users do rather better, especially as they don’t want to spend money on sending you plastic calculator devices. Most commonly, you provide your mobile phone number, with the second factor being a special password code texted to your phone when you login. That mean you need to both know your password and have your phone to login, protecting you against – for example – a hack of a password database.

Discovery number one on implementing my New Year’s resolution has been how pleasantly straightforward it has been to turn on two-factor authentication on Google, Facebook, LinkedIn, MailChimp and more.

I’ve only run into one problem, with LinkedIn’s two-factor authentication not supporting the Outlook social connector plugin.

Discovery number two has been how much variation there is in exactly what you are offered. Most obviously, many implementations let you say ‘remember this device’ and then don’t require the second factor on subsequent logins from the device. That’s handy. It may lower the overall level of security but it also makes it convenient enough to use widely – and better widely used decent security than unused tighter security.

What would be really helpful is if a common system for describing such variations evolved, so that you can quickly understand if two-factor authentication systems support options such as remembering devices and providing backup keys in the event of the loss of your phone.

Discovery number three has been just how reliable and fast the text messages used by two-factor authentication systems are (even when, ahem, I did some testing close to midnight on New Year’s Eve).

So far them, so good. And if you haven’t given it a try yourself do. There’s a handy set of instructions on how to get started on many of the most common services over on LifeHacker.

Securing your accounts is not an alternative to running proper backups. Remember to do those too, including for your computer and for social media such as Twitter.

3 responses to “Two-factor authentication: my technological New Year’s resolution”

  1. Sounds good, but sadly, outside of London – even in a city in the southeast, I just can’t guarantee my phone will have reception.   It’s not usually impossible to send or receive texts, but it’s common to be waiting several minutes for reception to become available long enough to send or receive even something as simple as a text message.

  2. Awesome resolution! Just wanted to point out the more usability doesn’t always mean less security.  Toopher can automate authentication in locations the user deems safe (work, home) without lessening the amount of security. When something out of the ordinary occurs (you, your phone, are not in the same place as the attempted login) then Toopher will ask you to allow or deny the action. Definitely give Toopher a try on LastPass, MailChimp and in WordPress.

  3. Interesting list – certainly Facebook users should be looking to use the Login Approvals mechanism for two-factor authentication. I wasn’t aware of the PayPal one but will be setting it up shortly.

Leave a Reply

Your email address will not be published.

All comments and data you submit with them will be handled in line with the privacy and moderation policies.