Skip to main content

Twice the factors equals twice the fun

This entry might be pretty basic for a lot of my techie companions, but since we've been talking about security recently, I thought it might be good to do a quick introduction to 2-factor authentication for those that aren't as familiar with it. At it's most basic level, 2-factor authentication is about two things; something you know, and something you have. Most of us are used to working with passwords to authenticate ourselves to various resources. This is the something we know portion of 2-factor authentication.

The problem with something we know is that as soon as someone else knows it... it's not a secret anymore, and not very useful for security purposes. When we add in something we have to get 2 factors of authentication it's no longer just about what we know, but what we have. Then, it's not as terrible if someone knows what we know, because they don't have what we have, so knowing what they know doesn't help them as much, unless of course they end up having what we have, in which case we better hope that they also don't know what we know, because then they'll have what we have AND know what we know, causing people like myself rant in long run-on sentences about having and knowing things that people shouldn't have or know.

So the key with something we have is that we're often able to secure physical 'things' much better than we can secure knowledge. Securing knowledge is tough, because that knowledge needs to be shared with at least one other person... the system we want to access. So even though we might be quite good at keeping secrets, like our login passwords, the systems that we share those secrets with are often not as good as humans at keeping secrets. Usually they try hard, but too often they're the target of knowledge thieves who want nothing more than to force a system to reveal all of it's possible knowledge (ie. passwords) for their own personal gain.

However, things are a whole different story. Things are physical, and since the dawn of man, we've learned how to keep track of physical things really, really well. This is why many security experts tell people that it's OK to go ahead and write down their passwords on a little slip of paper in their wallets. We've learned how to keep track of our wallets since we were young, and we're quite aware of how to protect them physically.

So what are these things we have for accessing systems? In some cases, it could be a bio-metric system, like a fingerprint. Since our fingers are always attached to us (or so we hope), it's pretty easy to secure this 'thing'. If someone finds out your password to a system, but they also need your fingerprint to access it... well, they've just made their job close to impossible. However, fingerprints and retina scanners all require special hardware hooked up to our machines, so a much more common technique is a number generating device.

Many people know these devices by their brand name "SecureID", but the basic principle is the same. You are given a little token that has an LCD screen on it with sets of numbers that change every 60 seconds (smartphone apps that do the same thing are becoming common too). The master system is synchronized with your device, and it knows at all times what your number is. However, the system is never set up to tell anyone what a number is at any given time. It can just answer 'Yes' or 'No'. So a login situation looks like this:

  • A user types in their username and password in to a login system.
  • The login system asks them what their current number code is.
  • The login system then makes a request to a security system and asks "Is Mr X's generated number 12345?"
  • The security system then says either yes or no.
  • If the answer is 'no' then the login attempt is denied and the user has to try again.
So with 2-factor authentication, you are almost always guaranteed that your login is not going to be compromised. Even if someone knows your password they still need your physical 'thing'. If they somehow have your physical 'thing', they still need your password. It's not an impossible situation for a hacker to overcome, but it makes life difficult to the point of not even trying in many cases. There are many systems out there that practice 2-factor authentication, and if you've worked in any number of governmental agencies, or very large companies, it's likely that you've come across 2-factor authentication. But 2-factor is quickly becoming mainstream. A couple of years ago, online games started adding 2-factor authentication to their systems as a way to stop people from having their accounts hacked. Then, in the wake of the recent hacking news, Google's 2-factor authentication for GMail has been getting a lot of press, as a good way to make sure your primary e-mail account doesn't get compromised.

So the time was never better to start thinking more about 2-factor authentication. As more and more of our life goes online, it's important to take all the right steps to make sure that you're not the target of a hack. 2-factor authentication is a great tool in the average users toolbox to help keep you safe online.

Popular posts from this blog

Push it... push it real good...

The other day I got a chance to play with the new Apple force touch trackpad. This is a new design that Apple has put on their laptops for non-mechanized clicking on trackpad. When you press on the trackpad it senses the force that you're pressing with, and when you reach a certain level, you feel a 'click'. If you keep pressing, you feel a second 'click'. The unique thing is that these 'clicks' aren't physical in nature. The trackpad never moves at all, but the click that you feel is from haptic feedback. In essence, when you press with enough force, the trackpad clicks back at you. You feel the sensation of clicking, but it's simply the trackpad responding to your pressure.

I got to play with this for a while, since the Apple Store rep was talking with us about soccer, and after a short bit I was getting the hang of it. I feel that it would take quite a bit longer though to really feel comfortable with this new paradigm. I'm someone who has a …

Hack! Slash! Burn! Crush!!

The big tech news story of the weekend was the hacked account of Mat Honan. As documented in his posting on Wired.com, in the space of a few hours his digital life was in shambles. And as much as we always talk about strong passwords, etc., this was not a case of password failure. It was a case that shows just how our desire for on-demand, cloud based services that are convenient can come back to haunt us.

I highly suggest you go read all 4 pages of the article, but the quick summary is that a hacker wanted control of Mr. Honan's Twitter account. In order to get it, they started with basic social scouting, and proceeded to use all of the built-in tools of Google, Amazon and Apple to gain access to his accounts without ever needing to crack a single password. At Google they discovered what his Apple ID e-mail address was when they did a simple "Forgot my password" query. Then at Amazon, they called up customer service and game'd the system to get access to the last 4 …

The beat goes on

Yesterday Apple revealed their long awaited entry into the streaming music field. They were able to do this quickly because of the acquisition of Beats last year, and the systems and intellectual property that came with that purchase. Considering that the music reveal was pretty much the only big news out of a pretty benign developer keynote, I'll take a few moments to talk about what I think about it.

Apple was perhaps the defining company in the music revolution of the past 20 years. With the introduction of the iPod that revolutionized portable music, to the creation of the iTunes store and the eventual death of DRM, Apple has been at the forefront of digital music. This leadership comes with high expectations to continue to lead, and so many people have long questioned Apple not getting into the streaming music business quicker.

For the past few years new companies have come forth to lead the change in the streaming music evolution. From Pandora and its ability to create uniqu…