Oct 272014

Two-factor authentication is generally seen as a good idea; there’s a certain amount of hand-wringing over the fact that more people don’t turn it on. The problem is, it’s one of those things where you sign up for disruption over the next few days, for uncertain reward. The reward is uncertain because you can never tell whether turning on two-factor authentication stopped someone hacking your account or not, just like you can’t tell whether having an alarm company sign outside your house dissuades someone from breaking into it. My main email account has been on 2FA for ages, but I decided to add it to one of my secondary accounts as well, given that lots of people seem to mistakenly use that email instead of their own.

Tim suggested I used the authenticator app for my Google account 2FA, instead of using the SMS system. Just a hint: set it up while you still have access to your text messages since SMS is used for the bootstrapping authentication. You need to sign up for Google 2FA in the first place ‘on a computer’ (not specified whether a tablet is sufficient? I used the desktop). You are sent an SMS to authenticate yourself, and then you get another one when you want to authenticate the Authenticator app. After that, you don’t need your SMS system, as long as you have the device with the Authenticator app on it.

But then there are the other apps, which now need application-specific generated passwords. Adium for Google Talk, for example, or email with Thunderbird. Setting each one up doesn’t take long, but I’m sure some time in the future I will have forgotten and be wondering why I can’t log in with a valid password.

And I understand what’s going on, more or less, and think the short-term hassles are worth it. There are lots of people who don’t have a mental model of passwords or authentication, who see only the pain and not the gain (since the gain is only in the absence of a potential future pain). Businesses are supposedly implementing 2FA fairly rapidly, but I’d be surprised if people in general were outfitting their personal accounts with 2FA at anything like the same rate. Mind you, I also suspect those surveys apply mostly to bigger companies in particular industries; anecdotal evidence I’ve heard points to a lower real adoption rate.

  8 Responses to “2FA, the aftermath”

  1. I have also been using an app called Authy. You can find it over on https://www.authy.com

    It is much the same idea as the Google Authenticator but they are attempting to appeal to almost any web site or web service that has a public log in page. I am using the Twitter and Facebook 2-factor authentication but I question the way they are doing it as it seems confusing within the context of the sites they are protecting.

    I think Authy is where this technology will go since it becomes a single point where one can secure their accounts. Now, that may be a bad thing since it has a single point of failure but I suspect it is better than nothing.

  2. Frustrating Lauren? “Tim sug­ges­ted I used the authen­tic­ator app for my Google account 2FA” Which app please?

    • It’s called the Google Authenticator app; I’ve updated the post with the link to the Google play store. Authy, which Shane pointed to, also looks interesting though I haven’t tried it out yet.

      • Thanks Lauren.

        • Nasty circle. Install the app. It says go to google accounts. Do that. Nothing related to the app. End of. Tims article is right, even for a semi literate geek, if it’s not well documented it fails.

  3. […] 2-issue and we’re good to go, proper? Nicely, improper. As proof I supply 2FA, the aftermath by Lauren Wooden [Disclosure: my wife]. That is the type of story that makes my former colleagues […]

  4. I too am a fan of Authy. It’s a nice little app for managing 2FA for a small number of accounts. However the UI would definitely need a rethink if the app were to deal with a couple of dozen accounts or more.

    I use 2FA everywhere I can. BUT, I am a tech user. I understand the principles behind 2FA and see the obvious (to me) benefits of having it in place. I tried, and failed, to convince my mother to turn it on, at least on her PayPal account. Why? She understood the principles of 2FA and even got how it would protect her. But, in her words, “I’m not messing about with all that, it just gets in the way. Anyway, I don’t use PayPal a lot and why would anyone be interested in my account?”

    There’s two significant takeaways in her response:

    1) It couldn’t happen to me — the average user still doesn’t seem to get that hacking is broad, automated, and very large scale. One doesn’t have to be individually targeted;
    2) Add an extra step to any process, especially to one that might already be considered tedious (authentication), and you are going to encounter user resistance. If the extra step is optional, few will choose to adopt it.

    2FA is pretty damn good. But until we can convince the average user that they need it, and until we can make it so simple that we can enforce its use without driving away our users, it’s not going to widely adopted by the man in the street – or my mum.

  5. I’ve been using Google Authenticator on Android for ages, but I’ve been trying out the latest microsoft offerings. The MS Auth app is called “Microsoft Account”. The MS implementation of 2FA is much easier on the user, and therefore easier to use.

    It doesn’t even feel like 2FA when you use it.

Sorry, the comment form is closed at this time.

/* ]]> */