Friendly auth

These days, two-factor-auth is the new black. Yet, it’s not always practical, kind of disturbing and not very fun. Let me try to propose a fun approach in this era of social web.

Let’s start with a couple assumptions, which, I believe are relatively safe. First, the devices we use to access the web have cameras. It’s pretty obvious on smartphones, seems fairly reasonnable on laptops and tablets. Second, most identification mechanisms now use our profile on social networks, whether it’s Facebook, Twitter or Google… Third, we’re almost always online, which means we react to messages pretty quickly.

Bob forgot his password

Or maybe he never had one. Yet, Bob needs to authenticate with a service. Let’s take Twitter for example. Twitter is probably smart enough to identify actual friends of Bobs, using for example reciprocal followings and strong interractions both ways. Alice is one of Bob’s friends. She follows him and he follows her. She tends to retweet his stuff and he tends to retweet her stuff. They also fav’ each other’s messages.

Alice knows Bob

When Bob asks Twitter to authenticate him, Twitter will find Alice as one of his closest friends. Then, Twitter will ask Bob to take a picture of himself with some kind of proof that the picture was taken now. It can be some special random sign that Twitter asks Bob to do, like put his right index on his nose, or show his palm with 3 fingers up… etc. The whole goal is to make sure that the picture is fresh and unique. Then, Twitter will send a direct message to Alice, along with the picture and ask her to confirm that this is Bob and that Bob is indeed putting his right index on his nose. If she does, Bob will get access to his account back. If she does not, Twitter may either ask another friend of Bob, or just block whoever is impersonnating Bob for a couple hours!

Variants

Of course, this can be made more secure by asking that 2 or 3 or more friends confirm that Bob is Bob. Video (and sound) can also be used instead of a picture by asking Bob to say some kind of un-predictable sentence… etc.

People > Devices.

Eventually, what I like the most with this approach is its humanity. We are people and I’d much reather interract with people (thru a screen) than with an algorithm. It also works for people traveling abroad who can’t access their cellphones… etc.

Note: I’ve been reminded by Maxime that Facebook already uses an interesting approach. When Bob asks for a new password, Facebook will show Bob pictures of his friends and ask him to name the friends. It’s not a “social” approach, because you only interract with an algorithm, but still, it’s another factor!