Sunday, April 27, 2014

The Second Factor

The Second Factor

Sometimes when creating or logging into an online account the system will ask for a phone number or a second email address. Recently my users are asking me “why do they want that?” One user ignored the request so many times the system locked her out of a portion of her account until she provided it.

This alternate point of contact is called a second factor authentication and is a means for the website to verify that you are the person who signed up for the account. It is similar to your bank asking for the last digits of your Social Security Number or the doctor’s office wanting your date of birth. These are bits of information that they know came from you and should be different from anyone else who might share your name or other primary login.

This is not the same as when a website shows you a picture of the Statue of Liberty or a Corvette after you’ve logged in. With that the website is proving its identity to you because an imposter would not know which picture you are expecting. Second factor authentication allows you to prove you are you to the website.

If the website offers second factor, it’s a good thing. Imagine if someone were looking over your shoulder and stole your password. Then they could login as you and change your settings such that you are no longer getting notifications from the site. If it were a shopping site with a memorized credit card, you might not know what they are buying until you get the bill.

Typically the second factor will send you a one-time code that you must enter before proceeding. Check your email, type 4-6 digits or click a link, and you’re in. Often it will set a cookie in your browser and not inconvenience you even that much every time.

Ideally, the second factor should be delivered out of band – that is, through a different network than you used for your first factor. An excellent option is to send you the code for a website by cell text or voice telephone. If instead of looking over your shoulder, someone stole your computer, he might have access to your email as well as the website.

Second factor is more reliable than asking how many sisters you have or which high school you went to. Someone who’s gone to the trouble of stealing your identity could also find out that information. Instead it relies on responding with unique real-time information delivered to a device you would likely not lose at the same time as losing your computer.

If you provided the second factor channel (such as your cell phone number) at the time that you created the account, there is no way it could be hijacked. You’re well on your way to accomplishing the triumvirate of identity: something you know, something you have, something you are. That is: your logon and password (both something you know), your cell phone or a dongle (something you have), and your biometrics (like a fingerprint reader).

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
    (cc) 2014 Bill Barnes - Disclaimer - Home Page - Blogs Home

No comments: