June 16th, 2012


Why multi-factor authentication is great

Two things that are making me think of multi-factor authentication lately:

1. The LinkedIn password fiasco. Yes people, passwords need to be stored in a database, and they can be stolen. And then you have to change your password everywhere that you MIGHT be using the same one. Ugh.
2. Dreamhost (my webhost of choice) just added two-factor authentication using Google Authenticate (an app for mobile devices).

I don't know how long ago I first learned about multi-factor authentication. It might have actually been while I was at WPI.

For anyone who doesn't know, there are three different possible "factors" to identify you as the person who should be able to access a secure location (whether that is a virtual or physical location):
1. Something you know (a password, passphrase, etc.)
2. Something you have (a key or other physical device)
3. Something you are (biometric info)

Systems that use only a single factor mean that a malicious person only needs to exploit one vector to do a lot of damage. This shows up in lots of ways: Passwords can be hacked or, more likely, guessed. (here's some news: "secure" passwords are still not that great. If it's memorable, it's still going to be short and easier to guess, and if it's more complex, you're more likely to write it down somewhere. There's even been some research that shows that a longer pass phrase is harder for both people and computers to guess.) Devices and keys can be stolen. Biometric info can be faked.

BUT, once you combine multiple factors, it takes a lot more effort to circumvent. For example: At the ATM, I insert my card (something I have) and then punch in my PIN (something I know). If you steal my card, you still have to guess my PIN. If you know my PIN but don't have my card, you still can't get my money.

Now at Dreamhost, if you wanted to get into my settings, you would need my password AND my iPod touch (running the GAuth app). Just one or the other won't do you any good.

I find it interesting that this can even apply without any computers in other situations where security is desired. For example, the nursery room at my church uses 2-factor authentication, although they don't know it. Every parent is given a numbered localized pager when they drop off their child. At the end of church time, the appropriate numbered beeper MUST be turned in to claim the child, whether it is the same parent who dropped them off or not. (We joke that we are trading "babies for beepers".) This is two-factor authentication: the parent or guardian must have the beeper (obviously), but must also be KNOWN by the child (something you ARE).

Done right, two-factor authentication is hardly more work than one-factor authentication while being tremendously more secure. I would love it if everywhere on the Internet that stores my sensitive information used it.