To my way of thinking, 2013 is the TFA year. No, I don't mean "too freaking awesome," though some day we may see it that way. I do think that we'll look back on 2013 as the year of two-factor authentication -- or maybe the year passwords died. No, that's probably too much to hope for. But multi-factor authentication (of which two-factor is a special case) certainly seems to be finally taking hold.
Two of the big three destination websites (Google and Twitter) have introduced optional two-factor authentication. The third (Facebook) has introduced an optional and occasional form of TFA called "login approvals." With this system, you need to use a second factor -- an SMS message -- whenever you access the site from a new platform (PC or mobile device). Once you've logged in from the new platform and registered it, there's no need to do anything except enter your password on subsequent visits from that platform.
More people are urging Facebook to follow Google and Twitter and enable TFA with every login. Additionally, services such as Dropbox, WordPress, and Amazon Web Services offer optional two-factor authentication. The reason people are clamoring for this is quite simple. Just look at the headlines:
- 2 Million Stolen Passwords Recovered (Information Week)
- More than 2 million stolen passwords found on hacker server (Chicago Tribune)
- Google, Facebook, payroll accounts targeted in major password theft, security experts say (Washington Post)
That would scare most people, but the headline that scared me was in USA Today last week: Four tips for creating stronger passwords. People, there are no stronger passwords. There's weak, weaker, and weakest. There are no passwords that a human can remember that will keep a determined miscreant (or government service) from cracking your account. None.
The TFA solution vendor Authentify surveyed 428 security pros at financial services, corporate information security, and health insurance providers. In that survey, 41% of respondents said they favored implementing a second authentication factor to strengthen login processes using passwords.
Why not eliminate passwords? According to a whopping 72.5% of Authentify respondents, passwords would continue to be used in their respective worlds. Most of us have given up trying to eliminate passwords. In February 2004, Bill Gates said, "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure." Well, we know how prescient he was.
The solution to the all-passwords-are-weak problem is for additional authentication methods to be used alongside the password. Biometrics (fingerprints, retina scans, vein readers, heart monitors, etc.) are an option -- one that I favor but has strong opposition in the marketplace. Tokens -- both hardware (like the RSA SecureID) and software (such as those provided by the SPML protocol) -- are currently the favored second factor. The Google, Facebook, and Twitter systems rely on software tokens delivered out of band (via a cellular network rather than the broadband network) helping to drive acceptance of that factor.
Apple introduced a fingerprint reader with the iPhone 5S. Samsung is reported to be working on an iris scanner for its upcoming phones. Both are steps to a workable, acceptable biometric second-factor solution. There are even rumors that Google will soon require two-factor authentication for many, if not all, of its services.
Maybe in the years to come, we will look back on 2013 as the year our accounts finally became secure. That certainly would be too freaking awesome, wouldn't it?