Passwords Are Not Enough — Yet Two-Factor Auth Is Far from Common

Passwords Are Not Enough — Yet Two-Factor Auth Is Far from Common

In 2012 a very good journalist was targeted in a series of social engineering hacks that nearly destroyed all of his personal data. Though it ultimately ended up being just a close call and a huge headache, what Mat Honan went through benefitted everyone who read his tale by learning how to avoid it in the first place.

“Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened,” Honan wrote in retrospect. Two-factor authentication — or two-factor verification as some purists argue it should be titled — is the process of using a password plus something else to log into a site or app. The something else can be a temporary code delivered via SMS, a push request to an app like Authy, Google Authenticator, or Duo Mobile, or access to an e-mail account or hardware token to verify that the account owner is the one entering the correct password.

Honan’s ultimate learning lesson is a simple one; passwords are not enough. Now, going on four years later, two-factor verification is gaining awareness, but is not yet pervasive. Many tech companies, some industry leaders, are lagging in making two-factor auth an option for users, despite handling highly sensitive data. But why exactly?

Authy Vice President and General Manager Marc Boroditsky believes we are living in a time where there really is no excuse for not offering two factor authentication. “User friction is the excuse companies would use five or six years ago, because tools were extremely complicated,” he said in an interview. “But now we have a wide array of tools available that are easy to implement.”

Password policy example

Example of easy password policy settings from Atlassian.

If it’s easy enough to implement, why is it not more common ? Boroditsky says it’s “shocking” comparing which industries have more of an offering for two-factor authentication. Gaming, he said, is an industry that so far has a much better adoption rate than finance or healthcare. Financial institutions typically apply their own behavioural analytics to find abnormal behaviour and verify identity, or in some cases offer two-factor authentication by way of a hardware token. Some of them offer nothing at all. And some even restrict how long or complex a user password can be.

It’s easy to find out which apps and services support two-factor auth, and which apps do not, thanks to a few sites, including Josh Davis, creator of the site has essentially made a living reference for two-factor adoption, and at the same time a platform for action to spur non-participating companies into action. From the site visitors can send a direct tweet in one click to any company to request they support two-factor auth, like a public spur to get on board.

As to why more companies don’t offer two-factor authentication, Davis said in an interview that he suspects that it’s partly the nature of prioritisation and bureaucracy. Users aren’t exactly looking for a more complex login process, and engineers will never be without features to build or improve elsewhere. And while two-factor auth may not be flawless security, “it makes hacking accounts much harder,” Davis said.

2FA Offering

A screenshot from The sites listed in pink do not offer 2FA.

Boroditsky wagers that Internet users are reaching a tipping point. Incidents like the The Fappening — in which hackers stole celebrity images and videos by compromising their personal iCloud accounts — are helping to build a demand for more privacy and identity protection, including secure authentication. But the tipping point is not solely a demand in two-factor auth. “I can imagine a scenario where enough security problems happen with [Internet of everything] products and the sharing economy, that consumers start rejecting insecure products,” he said. “If enough of those events [like The Fappening] occur, people start to question ‘Why am I even putting that stuff up there ?’”

Companies in all markets have the burden of tackling authentication by weighing security against the user base’s technical savvy. Those who have to cover all technical levels as well as age groups — like banks and health care companies for instance — run the risk of alienating an entire demographic and clogging support phone lines and ticket queues if they implement a login policy that is too strict or complicated.

Electronic Frontier Foundation Activist Parker Higgins said many early adopters of two-factor auth benefitted from a more technical audience, but that there are examples of how it can be implemented smoothly and with community support. Twitter is one of them. The social media giant offered two-factor auth after a series of account hijacks using stolen passwords.

“It’s good that [two-factor auth is] there,” he said, “but I think for the most part, depending on two-factor is not much better than depending on users creating more secure passwords.”

But in terms of choice between apps or services, the availability of two-factor auth can be a harbinger of good security practice behind the scenes. Higgins says it can be the equivalent of the “Van Halen brown M&M’s.” The rock band famously wrote a clause into every live performance contract that the venue should provide M&M’s in the dressing room with all the brown ones removed, and included it as a simple way to make sure venues were actually reading and following the technical details of contracts. This was the case with Slack, which offered two-factor auth after being hacked in March of this year as a way of proving they were taking security seriously.

Ultimately though, as Marc Andreessen said recently, some of the responsibility for security has to fall on the user. “Consumers at some point are going to have to learn to construct a good password,” he said during a podcast with A16z “It’s just going to be part of life to have to do two-factor authentication.”

This user responsibility might also include making two-factor authentication more of an issue by demanding it from the companies who provide the daily services we use.

What are your thoughts ? Is two-factor an important security measure or should we regroup and focus on banishing passwords altogether for something more secure ?

Back to Blog