Evolution Of Password Management - 2 (Or 3) Factors

Nowadays many online services use additional factors to get rid of the lack of security that password represent (no pun intended). These are all the three factors:

  1. something you know (usually a password)

  2. something you own (a token generator, a previously registered mobile phone, etc.)

  3. something you are.

The Second Factor

Probably the first online attempt has been put in place by banks in the form of a token generator synchronized with the bank servers. It works this way: you login into your bank account with a regular password but you are only allowed to look around. When you need to do something with your money (pay a bill, buy shares, etc.) a special code is required.

This code is a number provided by the token generator that changes every few seconds. So, even if someone can look at it, it would become quickly useless.

Other services, such as Google, Twitter and Linked In, use a different approach. Each time you log in from a different device/browser, they send you a text message on your mobile phone with a one-time code and ask for it during the login process. At that point you can decide to mark the current device as trusted, so no more codes will be asked.

In both cases (token and text message), the additional code certifies that you "own" also the second factor. Unfortunately, text messages can be intercepted, making this kind of authentication insecure for some types of applications.

The Third Factor

This factor (called biometric authentication) is not largely used on the internet but I'm sure you have seen it (being cracked) in many spy movies. It can be your voice ("My voice is my passport"), your eyes (as seen various times) or your face or fingerprints (too many movies to mention). Other biometric factors can be:

  • the schema of veins beneath the skin of specific parts of the body (usually hands or specific fingers)

  • the ear shape (both external and internal)

  • the DNA (some say that in the future 23andMe will provide this kind of services)

As a side note, when used by itself...

Of course, this is valid for every biometric factor, not just fingerprints. It should be obvious but sometimes a reminder is useful.

Other posts in this series


Cover image by Yargetty/sandbox taken from Wikimedia Commons licensed under the Creative Commons Attribution-Share Alike 4.0 International license.

Post last updated on 2017/01/04.