Skip to main content

On the effectiveness of two-factor authentication

1.  It has to be on.

As many people now know,  Apple's two-step verification wasn't enabled for the photo service.

2.  Account  creation and recovery needs to be as strong as necessary.

Authentication is really about a transfer of trust. I hand you a hardware token.  We exchange keys in some secure manner.  I assign you a password.  Registration and recovery have to be as secure as you need them to be for the risk.  I think Twitter is doing some interesting things in this regard. I hardly ever have to validate my logins for Twitter.  However, I recently rebuilt two computers.  I then had to validate a number of logins (though decreasingly so as it seemed that Twitter started trusting my home computer more).

The trade-off seems to be: have your mobile if your on an unfamiliar device.  The most annoying thing that can be done here is security questions.  A second token on the PC would be much better.

(It is a bummer that you can only protect one twitter account with two-factor authentication.)

3.  Session security needs to be as strong as necessary.

If your session can be intercepted by a man-in-the-middle, then attackers will go around it.  There's plenty of examples of this under headlines like "Hackers defeat two-factor authentication".  Well, they didn't.  They defeated SSL.  Maybe you should have used mutual authentication.  Hopefully, certificate pinning will reduce this issue.

4.  Usability.

Usability isn't really about effectiveness, but it needs to be addressed.

I believe that now people realized that two-factor authentication is as usable as passwords. I'm not thrilled that services continue to use a password and an OTP instead of getting rid of passwords, but it's much safer to reuse passwords or use simple passwords if you are using two-step verification.

For enterprises, you need to be looking at SSO when deploying two-factor authentication.  Sadly, standards like OpenID-connect are immature when compared to authentication protocols like RADIUS.  

I think it's also time we called BS on articles and blog posts that talk about phishing/malware that gets around two-factor authentication that do not include loss information.  Otherwise, how can we judge effectiveness of the protection?

Current rating: 1

Recent Posts







RSS / Atom