Two-factor authentication pitched to the masses
A few years ago, the hack that exposed private photos of many celebrities supposedly from their Apple iCloud service has sparked up a trend in the media promoting the solution being “two-factor” authentication. Two-factor simply means that in addition to your password, you would need to use a device such as your cell phone to acquire a code to enter. Thus a hacker would need to know both your password and have your device to break in.
Two-factor is really, really good, no doubt. But it is also a nasty barrier of entry. Meaning, every time you log in to your multitude of services you have to use your cell phone. That is quickly annoying and, I believe, it will be difficult to make mainstream.
Server-based rules are better than two-factor authentication
But, here is the kicker, there is a much easier way to achieve a reasonable block on brute-force attacks. Simply require passwords have a minimum length, that they include some symbols and numbers in addition to lower and upper case letters, and then have a time-out on invalid login attempts that locks the account. (Hey, maybe to unlock it, use two-factor authentication? That would work and not be as much of a barrier).
Also, service providers can implement simple algorithms such as: disallowing attempts to guess a password coming at nearly the same time but from different locations. There is human behavior and then there is hacker behavior, and server-side can actually go a long way to identify attempted attacks.
I believe that instead of trying to promote two-factor, we should instead educate service providers to implement simple password rules. That puts a much larger dent in brute-force attacks while not relying on customer education. We can then also recommend customer education including more basic ideas like using a password wallet (see blog entry here), making different passwords on every service or site, and.. possibly.. two-factor authentication for those willing to go that far.
So, my thought is that focus on two-factor is somewhat of a red herring, instead of focusing on service provider-side work and more basic customer password education.