Two Part Authentication: Is is worth it?

There are basically three ways that we can authenticate who we are to a computer system. We can do it based on:

  • Something we know (password, pin code, username, etc).
  • Something we have (cell phone, RFID card, Security card, ID card)
  • Something we are (facial recognition, fingerprint, DNA, retina scan, or bone structure in the hand)

Two-part authentication, requires a person to provide something out of each category. You do this when you put your bank card in an ATM (something you have) and enter your PIN (something you know). Three-part authentication, while possible, is not often used just because it causes too much of a hassle for the little bit of extra security it provides.

Two-part authentication is attractive for several reasons for online accounts (email, facebook, twitter, etc). It can thwart several of the common attacks (keystroke loggers, password sniffing, shoulder surfing, etc.) as well as the common mistakes users make (writing down a password, sharing a password with others, using the same password on multiple accounts, etc). It can also be very helpful in making sure that if one account is compromised that all your other accounts don’t also get attacked.

If you are doubting the need for an extra layer of security, check out these two articles about people who had their online presence stolen:

While you might not be such a high profile target as James Fallows or Mat Honan, think of the impact that it would have on your life if your accounts were deleted, compromised, or used for nefarious purposes (bullying a local teen, posting illegal materials, etc.).

This lifeHacker post offers a great set of links to sites and directions on enabling two-part authentication for your accounts:

Here are a couple of other good blog entries on the topic:

I have been talking about the value of two-part authentication to all of my University of Missouri students and making them try it on at least a couple of accounts. Of the students that have tried it, I would say that:

  • 50% of the students think it is worthwhile
  • 30% think that they are simply not a target so they don’t need the extra security
  • 20% think that it is too much of a hassle to have to wait 10 seconds extra to receive a text or type in an extra code.

Right now, you can get various incentives (10% off your dreamhost and mailchimp bills for example) for using two-factor authentication. That will change to a requirement as more systems for fingerprint input and other “quick” ways to perform a second type of authentication spread.