Why you should use two-step authentication

3 Oct 2012

True two-factor authentication is expensive to roll out, which is why many online services are dancing a two-step instead, says Davey Winder

Passwords are a real problem these days. We’re required to create so many of them that most of us re-use our memorable favourites, and lengthy and complex pass strings, however desirable, are very much in the minority.

Two-factor authentication (2FA) uses a combination of something you know (your password or PIN) and something you have (a hardware token) to add another security layer into the authentication process. Unfortunately, ‘true’ 2FA costs rather a lot of money to both implement the system itself and to distribute those hardware devices to every user. This is especially true when you are talking about free online services such as Gmail or Dropbox, which have millions of users.

That’s where two-step authentication (2SA) comes in. Dropbox is the latest in a line of big online properties to introduce an optional 2SA system, joining the likes of Google, PayPal and Yahoo. Microsoft is yet to bring 2SA to Hotmail, but does make it compulsory for users accessing billing at microsoft.com or buying anything at xbox.com.

Using two-step authentication

When logging in to your account you first enter your password as normal, but then you’re prompted to enter a code sent to your mobile phone by text message. This one-time password (OTP) is only valid for a limited time, usually no more than five minutes.

Anything that adds a second layer of identity verification is to be welcomed with open arms

Although such 2SA-by-SMS systems are far from being without weakness, they undoubtedly add additional strength to the login process and as such should be considered a no-brainer for PC Pro readers who care about their account security. There really are just too many ways in which your account can be compromised, so anything that adds a second layer of identity verification is to be welcomed with open arms.

Generally speaking, the reason people give for not making use of an optional 2SA system is the same reason why others dilute its effectiveness once activated: the annoyance factor. We’re in a want-it-now society, and nowhere is that lack of patience more apparent than online, where web developers will happily recount tales of research into the short attention span of users.

This is reflected in those who would rather sacrifice security than wait mere seconds to receive a one-time password on their smartphone to type into an authentication box. Indeed, with most 2SA implementations allowing some degree of user configurability, it’s also reflected in people who would rather opt to ‘ask me for a code every 30 days’ than ‘ask me for a code every time I login’.

Read more

Analysis