Regular readers will know that we like it when online services announce that they’re going to offer two-factor authentication, also known as 2FA.
Two-factor authentication is also known as two-step security, two-step verification, and other phrases with “two” in them.
2FA can take many forms; these illustrative examples come from the financial services sector:
- When you draw money from an ATM, you typically have to present a physical card, and then type in a PIN. Neither is enough on its own.
- When you pay a bill online, you may need to type a password into your web browser, and then reply to a special message sent to your mobile phone. Neither is enough on its own.
The idea is that a crook has to crack two different security problems to hack a single account.
Even more importantly, in the case of online 2FA (like our bill payment example), the data used in the second authentication factor changes regularly, so today’s login messages won’t work tomorrow.
If there’s a login code generated by a special app on your phone, for example, the code will probably change every 30 or 60 seconds.
If it’s an SMS with a secret string of digits in it, every SMS will be different, and so on.
Convenience versus security
Yes, 2FA is a bit less convenient than just having a single login factor, such as a password that rarely changes.
But 2FA with one-time login codes is much less convenient for the crooks – often very much less convenient.
A crook not only has to crack two security problems, but also has to keep cracking at least one of them over and over again, every time you login.
Some examples of online services that have already crossed the bridge of 2FA support are:
- 2011: Facebook.
- 2012: Dropbox.
- 2013: WordPress.com.
- 2014: Tumblr.
- 2015: iTunes.
- 2012: Dropbox.
The latest biggie to show signs of joining the 2FA club is Sony’s Playstation Network (PSN), although the go-live date is still a mystery.
Polygon quotes a Sony spokesperon as saying:
We are preparing to offer a 2-step verification feature… More details will be shared at a later date.
Evidence that preparation is well under way is a visual clue from the latest firmare upgrade to the PS3, tweeted by a Finnish fan called Tuomas Tonteri:
Tonteri inadvertently provided another good security reminder (handy for selfie-loving celebrities as well as the rest of us) about being careful of what you post:
I’m quite glad that the #PSN 2-step verification photo I took doesn’t show my reflection from TV. I was still in my underwear… True story.
As we’ve said before in respect of personally identifiable information: if in doubt, don’t give it out.
And as we’ve said about 2FA: if you can turn it on for the services you use, why not?
Image of PlayStation controller courtesy of Evan Amos via Wikimedia.
nick5990
2FA isn’t always good – eg if you have a technical issue involving 2FA that is preventing you from logging in to your account.
Laurence Marks
Imagine being unable to pay bills or check email because your phone broke and it took eight days for the replacement to arrive (as just happened to me). Fortunately I was able to move the SIM to an older phone where most things worked.
InfoSec Amateur
Paul – is it technically correct to say 2 factor and 2 step are the same thing? I’ve heard some people differentiate, saying 2 step is sorta fuzzy 2FA, where the second factor may be in band in some cases. Like OTP via SMS. Especially with that SS7 thing going on, right? Then it becomes two pieces of knowledge. Am I thinking about it the right way?
Paul Ducklin
I think that “two-step” is preferred by some online services because [a] it’s less jargonistic (what’s a “factor”…is that to do with cryptography, as in 3×5 = 15?) and [b] it avoids arguments about how “two-factorish” it really is when the web page is open and the one-time code is received or generated on the same device, e.g. when using a smartphone.