Monday, June 3, 2013

Two-Factor Authenication - What's the right way

Following the numerous compromises of accounts to various online services (with the most news-covered being the Twitter account compromises), more and more online services are providing means for Two-Factor Authentication (2FA).

Just as a short primer, authentication is the procedure a service has in order to verify that the user claiming to want to authenticate is actually the user which holds the account. A good simple example (of one-factor authentication) is a username/password combination. I authenticate to the service by providing my username/password combination, and since I am the only on that should know this, I am authenticated as being the owner of the account.

The big problem with the above is what happens if my credentials are stolen or compromised? Well, the service can be tricked by a third person, which can provide the valid username/password combination, into thinking that the third person is me! Granted, there are cases where this is actually desirable (such as shared accounts) but in the end, the result is the same; the service has no way to identify that the person between the chair and the keyboard (or behind the touchscreen nowadays) is the account holder.