I’m very glad to see the buzz on the internet about two factor authorization. I’ve been slow about doing an article on it because I didn’t want to be the downer at the party. Yes, it is important advice to follow, but I just can’t get all excited about it. Enabling 2FA doesn’t make your email encrypted. From the way I see it being talked about on twitter, I’m worried that’s the impression folks are getting.
Two factor authorization reinforces logins. If you fall prey to a phishing attack, two factor authorization will make it harder to access your account because having just the password won’t be good enough. Companies love it because it means when they f*ck up properly securing their logins they’ll have less liability to contend with. Two factor authorization is NOT data encryption, it’s just a fancy front door. Better than not having a fancy front door, but it certainly doesn’t fix structural problems.
A while back many banks and email providers started to move to two step verification. Two step verification is not the same as two factor authorization. Two step verification typically asks for two remembered pieces of information in a row, a password followed by a challenge question or a code number, for example. Two factor authorization improves on this process by requiring verifiers to come from entirely independent classes of identification:
- Something you know (password, street name where you grew up, a texted pin number)
- Something you have (decoder ring, usb key)
- Something you are (fingerprint, voice recognition, gait, all the biometrics)
Folks talking to beginners seem to mush 2FA and 2SV together for the sake of convenience. For example, my phones seem to be constantly sprouting codes in text messages. Despite being billed as such, this isn’t technically two factor authentication, it’s fancy multi-step verification. Those texts are simply providing a 1-time password, so still “something you know.” To top it off, it’s not like my phone number is all that secret or those text messages are encrypted. Mobile phones also get lost or stolen all the time. This is where specialized USB fobs with rolling codes step up to the plate. They’re very cool, and I totally want one. Yet it seems a little extreme to go all “magic talisman” to protect data that isn’t encrypted on the back end, like say email or all those jottings in Evernote. Just saying.
Also, please, before enabling 2FA or 2SV review what, if any, recovery processes the company has put in place in case of loss of either or both required authorizers. We’ve gotten so used to having a phone call to customer service fix things. If the data was supposed to be encrypted with that 2FA “there is nothing I can do” is exactly the right answer. Be prepared.
So, yes enable that two-step-facto-autho-veri-whatever being offered. It does help. It just isn’t the only help we’ll need.