Skip to navigation
Analysis

Why you should use two-step authentication

Posted on 3 Oct 2012 at 15:11

True two-factor authentication is expensive to roll out, which is why many online services are dancing a two-step instead, says Davey Winder

Passwords are a real problem these days. We’re required to create so many of them that most of us re-use our memorable favourites, and lengthy and complex pass strings, however desirable, are very much in the minority.

Two-factor authentication (2FA) uses a combination of something you know (your password or PIN) and something you have (a hardware token) to add another security layer into the authentication process. Unfortunately, ‘true’ 2FA costs rather a lot of money to both implement the system itself and to distribute those hardware devices to every user. This is especially true when you are talking about free online services such as Gmail or Dropbox, which have millions of users.

That’s where two-step authentication (2SA) comes in. Dropbox is the latest in a line of big online properties to introduce an optional 2SA system, joining the likes of Google, PayPal and Yahoo. Microsoft is yet to bring 2SA to Hotmail, but does make it compulsory for users accessing billing at microsoft.com or buying anything at xbox.com.

Using two-step authentication

When logging in to your account you first enter your password as normal, but then you’re prompted to enter a code sent to your mobile phone by text message. This one-time password (OTP) is only valid for a limited time, usually no more than five minutes.

Anything that adds a second layer of identity verification is to be welcomed with open arms

Although such 2SA-by-SMS systems are far from being without weakness, they undoubtedly add additional strength to the login process and as such should be considered a no-brainer for PC Pro readers who care about their account security. There really are just too many ways in which your account can be compromised, so anything that adds a second layer of identity verification is to be welcomed with open arms.

Generally speaking, the reason people give for not making use of an optional 2SA system is the same reason why others dilute its effectiveness once activated: the annoyance factor. We’re in a want-it-now society, and nowhere is that lack of patience more apparent than online, where web developers will happily recount tales of research into the short attention span of users.

This is reflected in those who would rather sacrifice security than wait mere seconds to receive a one-time password on their smartphone to type into an authentication box. Indeed, with most 2SA implementations allowing some degree of user configurability, it’s also reflected in people who would rather opt to ‘ask me for a code every 30 days’ than ‘ask me for a code every time I login’.

1 2
Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Additional Security

I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. If you opt into 2FA, you will have to "Confirm your phone". You would receive a text message with a specific code to be entered into the system. If you don't want to do this every single time, you can designate your smartphone, PC, or tablet as a trusted device and they will allow you to telesign in without the text code. Should an attempt to login from an unrecognized device happen, it would not be allowed.

By Tamptrick on 4 Oct 2012

Security often more trouble than trouble itself

I was burgled once in 23 years. The thief took a worthless desk and an antique chair worth about £200. The insurance company then insisted that I had every kind of alarm fitted - door locks, window locks, movement activators, etc. Setting and deactivating this setup several times every day (including in the middle of the night after a power cut) became a much bigger negative than the original theft ever was. Guarding against loss is only worth the additional hassle if the potential losses are greater than the cost and inconvenience of implementing the security in the first place.

By Nameless on 5 Oct 2012

If some steals your phone?

The biggest weakness seems to be a stolen phone. The thief then has access to the SMS code and your email account.

You could always have a special phone at home for authentication, but it would get lost or disconnected.

Why not allow a user to share an authentication device between accounts? That way the cost is born by the user and is a one off cost.

By tirons1 on 5 Oct 2012

The something you have...

The problem is, it assumes that you have your phone with you.

At home, my office is in the cellar and we get a telephone signal in the bedroom, if we are lucky.

That means I have to run up and down 2 flights of stairs every time I want to log on.

Wouldn't SIM cloning or dual-SIMs also be a problem?

By big_D on 5 Oct 2012

Not the main concern

Somewhat of a side issue as by far the greatest online security issue is that of password databases being compromised by way of code-injection exploits.

The answer to this is to move away from SQL, to a database system which does not permit instructions to be embedded in user responses.

By Anteaus on 5 Oct 2012

2SA using mobile phone useless for some

We are in an area (North Oxfordshire) of no mobile phone signal. By the time I've jumped in the car to drive about to get the OTC the banking session (for instance) I'm trying to use has timed out.

By robgwc on 8 Oct 2012

agree with others

on the problem of needing your phone with you at all times. I had my gmail setup for 2-step authentication and I recently travelled for a few days. Unfortunately, I forgot my phone, and so, not only I was unable to contact people by phone, but also, I was unable to contact them by email, being unable to use the 2-step authentication! I promptly removed the option once I was back home....

By gowgowuk on 8 Oct 2012

gmail 2 factor

I think this works really well with the google authenticator app. Works around the SMS problem and the function to trust a device ensures that you are not prompted for 2 factor authentication every time.

By Paulf on 9 Oct 2012

gmail 2 factor

I think this works really well with the google authenticator app. Works around the SMS problem and the function to trust a device ensures that you are not prompted for 2 factor authentication every time.

By Paulf on 9 Oct 2012

Leave a comment

You need to Login or Register to comment.

(optional)

For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on pictures@dennis.co.uk

advertisement

Most Commented Features
Latest News StoriesSubscribe to our RSS Feeds
Latest Blog Posts Subscribe to our RSS Feeds

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.