Here's a very consumer-friendly way of describing 2FA: withdrawing money from an ATM requires two factors being your bank card (something you have) and your PIN (something you know). Requiring, for example, both a password and a fingerprint would be a 2FA implementation. When it comes to "something you are", we're talking biometrics so think fingerprints, face, etc. For every good security solution, someone will always find a way of screwing it up: This was a pretty solid way of doing auth, albeit a bit clunky and still not foolproof. The bars on the left of the LCD screen would count down after which the digits would be rotated and I'd need to enter a different TOTP when authenticating. When I logged onto the work VPN, I needed to enter not just my Active Directory credentials but also the 6-digit number shown in the token above known as a time-based one-time password (TOTP). The former is a physical device, for example I had one of these old RSA tokens more than a decade ago back in corporate land: Adding a second factor typically means either requiring "something that you have" or "something that you are". If someone obtains the thing that you know then it's (probably) game over and they have access to your account. For some quick perspective, a password alone is 1FA in that when you authenticate merely by entering a secret, all you require is one factor - "something that you know". They may all be familiar, but there are important differences that warrant explanation and we'll start with the acronym we most commonly see:ĢFA is two-factor authentication. Let's not get bogged down in that and instead focus on the practical implications of each. Before I do that, a caveat: every single time I see discussion on what these terms mean, it descends into arguments about the true meaning and mechanics of each. Let's start with defining some terms because they tend to be used a little interchangeably. Your email address is the skeleton key to your life (not just "online" life) so protecting that is absolutely paramount. This post will be partly about 2FA in general, but also specifically about Google's program because of the masses of people dependent on them for Gmail. Per the title, not just any old 2FA but U2F and in particular, Google's Advanced Protection Program. This week, I wanted to focus on going beyond passwords and talk about 2FA. A few people took some of the points I made in those posts as being contentious, although on reflection I suspect it was more a case of lamenting that we shouldn't be in a position where we're still dependent on passwords and people needing to understand good password management practices in order for them to work properly. Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |