I attended a talk during All Things Open regarding two-factor authentication (2FA). There were some interesting takeaways.
Passwords win Link to heading
It’s interesting that passwords still have the best security tradeoffs. Google did a study about tradeoffs in different authentication methods. The main concerns in these tradeoffs are:
- Security
- Usability
- Deployability
Passwords have the best tradeoffs of all these three because of they are so easy to deploy. Other methods, even though they may be more usable or secure, will require a special application or device. Passwords don’t score too low in the security and usability concerns.
SMS auth Link to heading
Using two factor authentication is great, but if you rely on SMS two factor auth then you are trusting your network operator. This form of two factor auth is not as secure are actual tokens generated by an app like Google Authenticator, or some other hardware token.
These hardware tokens are pretty cheap now. You can get them for about 99c.
Multi-step authentication Link to heading
Google has a good user authentication flow. They use a multi-step authentication flow. In other words, they don’t prompt for your username and password at the same time or one the same screen. There are advantages to using a multi-step auth flow:
- The first step asks for your identifier (username or password), once the user submits the identifier, the backend can already process several things like location, ip address, etc.
- The second step can ask for your password.
- The third screen can be optional and can be used to further authenticate the user using two-factor authentication.
Gluu Link to heading
The speaker was from Gluu. They offer an open source platform for authentication. It seems like a good platform. It has an application that would let users manage their credentials, security keys, devices, tokens, etc.