Friday, October 17, 2014

Dropbox, Passwords, and 2FA

So at first, Dropbox was hacked and everyone was told to change their passwords.  Then it ended up being a bitcoin scam.  After this, we have sites claiming the only way forward is to require the use of two-factor authentication, or 2FA for short.

The first issue I have with requiring 2FA is that it mostly seems to be implemented via text message.  Try to log in, they send a text message with a code, enter the code, now you're logged in.  However, not everyone who has accounts online also has a cell phone, not everyone with a cell phone can get text messages, and not everyone who has a cell phone with text messaging trusts websites with their phone number.  Furthermore, cell phones are easy to misplace and are a prime target to be stolen, meaning that the system can still be compromised.  Also, because cell phone companies refuse to standardize and interconnect their networks for the benefit of all humankind, if you're out of range of cell service, or in another country, you probably won't get the text message.

Steam has its own 2FA scheme, called Steam Guard.  However, this is implemented much more sensibly: You try to log in from somewhere it doesn't recognize, it sends a code to the email registered on your account.  You enter that code, you're logged in.  What's wrong with that?  There's still the same potential for compromise in the system, but email accounts are generally less lucrative targets than cell phones.

I've got 2FA enabled on Twitter, which I already use via text message anyway, but I refuse to give Google my phone number.  I'd be a lot more comfortable giving them a private email address, but they insist on having your phone number.

tl;dr scammers are assholes and 2FA needs to be implemented much more sensibly unless you can somehow guarantee that every user of your service has a cell phone and plan capable of receiving the required message.

No comments:

Post a Comment

I moderate comments because when Blogger originally implemented a spam filter it wouldn't work without comment moderation enabled. So if your comment doesn't show up right away, that would be why.