Tom's Blog

Personal two-factor authentication, and who supports it

The problem

  1. Websites continue to fail to safely store passwords[1]. Passwords get stolen, and people reuse passwords, leading to unauthorised access on accounts of secure sites.
  2. Even those who don't reuse passwords occasionally feel the necessity to log into their Gmail/Facebook/Hotmail/Twitter accounts on compromised machines that then steal their passwords, and gain access.
  3. For those who wear tinfoil hats, there is no such thing as too much security.
Two-factor authentication solves the above problems: upon attempting to log into a service (e.g. Gmail/Facebook), the service will prompt you for a pin, which is valid for only one login.

Common two-factor authentication implementations

One time password via SMS/email

The service sends the pin to you via an out-of-band mechanism, such as SMS or email.

Shared secret

When you enable two-factor authentication with your service, you and the service share a secret key (over a secure channel, such as TLS). Upon login attempt, using the secret key, you and your service can each independently compute the same pin, which is valid only for a small interval like 30 seconds, and if they match, the service will authenticate you.

Time-Based One-Time Password Algorithm (TOTP) is a common and secure way to generate such pins from a shared secret, and the current time. There are a few implementations of TOTP including Google Authenticator, an Android app, a PAM module provided by Google, and libraries in your favourite language.

A common misunderstanding: The only parties who know the one time pad are you and the service. When using Google Authentication, or any other TOTP implementation, neither Google, nor any third party, is involved in the process.

Relative merits

SMS/email Shared secret
Advantages Only requires SMS/email, which everybody has. No trusted third party. No lag.
Disadvantages Your network provider must be trusted.

Vulnerable to mobile number porting.

SMS is unreliable.

Requires a smartphone.

Requires your phone's clock to be in sync with service's[2].

You can only login once every 30 seconds[3].

Reliant on a shared secret.[4].

Who provides what?

Service SMS/Email Shared secret
Google Yes Yes
Facebook Yes No
Amazon Web Services No Yes
LastPass No Yes
Steam Yes No
Dropbox Yes Yes
Twitter No No
Box Yes No
Your server ? Easily!


Enable two-factor authentication for services you care enough to improve security, at the cost of convenience. Use shared secret, if you can. Otherwise, use SMS/email. Bravo Google and Dropbox!


[1] Bonus points for scoffing at bcrypt, in favour of scrypt.

[2] There are counter-based, rather than time-based, pin generation algorithms, such as HOTP, but that too has issues, such as the counter becoming out of step.

[3] You can only login once every 30 seconds, since the pin only changes every 30 seconds (any more frequently and it would be difficult to enter your pin within the 30 seconds that your pin is valid), and each pin is one-time. The 30 seconds is configurable, and for convenience, TOTP sometimes (such as Google) accept any pin which is valid within 3 minutes (or so) of the current time. This also helps mitigate annoyance due to clock skew issues.

[4] If either your phone, or the service becomes compromised, and neither of you realise it, an attacker could have continued access to your account. Such a compromise when sharing pins via SMS/email would not necessarily provide continued access to your account.

blog comments powered by Disqus