- Websites continue to fail to safely store passwords. Passwords get stolen, and people reuse passwords, leading to unauthorised access on accounts of secure sites.
- Even those who don't reuse passwords occasionally feel the necessity to log into their Gmail/Facebook/Hotmail/Twitter accounts on compromised machines that then steal their passwords, and gain access.
- For those who wear tinfoil hats, there is no such thing as too much security.
Common two-factor authentication implementations
One time password via SMS/emailThe service sends the pin to you via an out-of-band mechanism, such as SMS or email.
Shared secretWhen you enable two-factor authentication with your service, you and the service share a secret key (over a secure channel, such as TLS). Upon login attempt, using the secret key, you and your service can each independently compute the same pin, which is valid only for a small interval like 30 seconds, and if they match, the service will authenticate you.
Time-Based One-Time Password Algorithm (TOTP) is a common and secure way to generate such pins from a shared secret, and the current time. There are a few implementations of TOTP including Google Authenticator, an Android app, a PAM module provided by Google, and libraries in your favourite language.
A common misunderstanding: The only parties who know the one time pad are you and the service. When using Google Authentication, or any other TOTP implementation, neither Google, nor any third party, is involved in the process.
|Advantages||Only requires SMS/email, which everybody has.||No trusted third party. No lag.|
Your network provider must be trusted.
Vulnerable to mobile number porting.
Requires a smartphone.
Requires your phone's clock to be in sync with service's.
You can only login once every 30 seconds.
Reliant on a shared secret..
Who provides what?
|Amazon Web Services||No||Yes|