Alongside more traditional features like extra storage or a wide range of smartphone apps, their sales pitches have started to cite support for “two-factor authentication,” also known as “two-step verification.” That’s a generic term for asking users to provide some shared secret besides a password; in consumer practice, this extra ingredient usually takes the form of a numeric code sent to a device or produced by an app that only you should be able to use.
It’s not a new idea, even among consumer services.
Google introduced its version back in February of 2011, and Yahoo did likewise in December of that year. But after early attention among security types and the occasional tech columnist, attention faded. Much the same thing happened a year earlier when Microsoft and then Facebook added a lesser security alternative–allowing users to request a single-use code via text message, which they could then use in place of a password.
It took a bout of successful hacking attempts to put this feature into fashion. Last July, a Dropbox employee’s account got “pwned,” leading to the exposure of users’ e-mail addresses. A few months later, a teenage hacker pierced the security mechanisms around Apple’s iCloud to take over Wired writer Mat Honan’s Twitter account and remotely wipe his laptop in the process. In February, Twitter had to reset users’ passwords after its own systems were compromised; a month later, Evernote went through the same drill.
And a growing number of U.S. government offices, law firms and companies have reported break-ins by Chinese hackers.
No further confirmation should be required that the old security routine of telling users to pick hard-to-guess passwords (how often have you seen a site reject your chosen password as too obvious?) and then maybe change them every 90 days (because no bad guy would ever think to put a keystroke logger on a compromised machine to catch each change of passwords) no longer suffices.
So last August, Dropbox began offering two-factor authentication. Apple started rolling it out as an option (with one halt to fix a serious security glitch in the first deployment) two weeks ago. And Evernote and Twitter have said they’ll provide their own forms of two-step verification.
At the most basic level, this flurry of activity represents a sensible response to a problem that will only get worse. The more time we spend in one account or another online, the more it becomes an extension of our identity and the greater the potential reward from taking it over–even as unscrupulous hosts in other countries make it ever cheaper to mass-produce malware.
But adding more sophisticated levels of security to consumer services might also bring more competition and accountability to the field.
When things like two-factor authentication were confined to enterprise-IT settings, vendors of these technologies had to operate at a certain distance from the people who use them. They sold them to IT departments, not individual employees; those staffers, in turn, couldn’t fire the IT vendor without firing their employer first.
But it’s a lot less effort to dump a Web-mail or file-storage service if its authentication turns out to be too much of a bother–or if it doesn’t protect your data at all.
I’m already seeing some useful competition and creativity in how services provide these numeric codes. Apple and Yahoo, for example, rely on text messages, with a printed backup code and a security question, respectively, as backup mechanisms. Google’s two-step verification (which I finally turned on last summer) also employs a time-synced Authenticator app that works without any data connection; that can also generate one-time codes for Dropbox and the LastPass password-management service.
But considering that most of these services only require that second verification on logins deemed suspicious, the algorithms they use to make that judgment will matter even more. In that respect, operators of Web services will have to learn from the examples of credit-card issuers that eye the location, scope and timing of each transaction to see if they suggest fraud in the making.
Are people ready for their Web services to learn that much about their tastes and travels? If you’re not, my only advice is this: Spread your online business around, so no one company can know too much about you–and the compromise of any one account won’t hurt as much.