Two-factor authentication is a red herring

      Comments Off on Two-factor authentication is a red herring

Two-factor authentication pitched to the masses

A few years ago, the hack that exposed private photos of many celebrities supposedly from their Apple iCloud service has sparked up a trend in the media promoting the solution being “two-factor” authentication.  Two-factor simply means that in addition to your password, you would need to use a device such as your cell phone to acquire a code to enter.  Thus a hacker would need to know both your password and have your device to break in.

Two-factor is really, really good, no doubt.  But it is also a nasty barrier of entry.  Meaning, every time you log in to your multitude of services you have to use your cell phone.  That is quickly annoying and, I believe, it will be difficult to make mainstream.

Server-based rules are better than two-factor authentication

But, here is the kicker, there is a much easier way to achieve a reasonable block on brute-force attacks.  Simply require passwords have a minimum length, that they include some symbols and numbers in addition to lower and upper case letters, and then have a time-out on invalid login attempts that locks the account.  (Hey, maybe to unlock it, use two-factor authentication?  That would work and not be as much of a barrier).

Also, service providers can implement simple algorithms such as: disallowing attempts to guess a password coming at nearly the same time but from different locations. There is human behavior and then there is hacker behavior, and server-side can actually go a long way to identify attempted attacks.

I believe that instead of trying to promote two-factor, we should instead educate service providers to implement simple password rules.  That puts a much larger dent in brute-force attacks while not relying on customer education.  We can then also recommend customer education including more basic ideas like using a password wallet (see blog entry here), making different passwords on every service or site, and.. possibly.. two-factor authentication for those willing to go that far.

So, my thought is that focus on two-factor is somewhat of a red herring, instead of focusing on service provider-side work and more basic customer password education.