Jeff Owens.com
Logo
Jeff Owens.com

My Heart Bleeds for Two-Factor Authentication

TwoFactorAuth.org

After having survived the OpenSSL Heartbleed bug, users are beginning to demand that companies do a better job of securing their websites by implementing two-factor authentication.

Heartbleed A Software engineering student at Iowa State named Josh Davis, has developed a website called TwoFactorAuth.org that encourages companies to implement two-factor authentication. The website lists those companies who have and have not implemented the security feature, as well as the companies who are currently working on it. The website also provides an easy method of encouraging non-compliant companies via Twitter.

Developers can add to the list of companies on the TwoFactorAuth.org website by issuing what is called a "pull request" on Github.com. This is where the developer currently stores the source code for his website. I added MyDomain.com to the list, which is a domain registrar company I've used in the past.

Google was one of the first companies to introduce two-factor authentication to a wider audience on the web. Here is Wikipedia's description of their implementation:

The first step is to log in using the username and password. This is an application of the knowledge factor.

The implementation of the second step requires a mobile phone or the Google Authenticator application, which is an application of the possession factor.

If the user opts to use a mobile phone, he/she has to register his/her phone number with Google. When one attempts to authenticate with username and password, Google will send via SMS a new, unique code to the phone. Receiving the SMS demonstrates that the user has the phone (or, in the case of GSM like networks the appropriate SIM chip).

If the user opts to use the Google Authenticator (or another supported code generator application),[7] he/she simply opens the application, which generates a new code every 30 seconds. This code is to be entered to complete the log in process. As a backup option in case the registered mobile phone or device running Google Authenticator is lost, stolen, or otherwise unavailable, the user can print a set of static single-use backup codes (also the knowledge factor) and store them in a safe place.

After downloading the free Google Authenticator application on your phone, you simply tap on the edit pencil icon and then the plus button to add a new entry. You can enter the website code manually or by using the Scan Barcode feature. Once you have entered a new website into the Google Authenticator app, you will see a list of numbers appear above the website's name. The numbers will change about every 30 seconds. The numbers are the extra "factor" you enter when prompted by your website.

I have added two-factor authentication for Google, Facebook, Dropbox, Evernote, Microsoft, Digital Ocean, Team Viewer, and Github. And I've implemented it via SMS on Apple and Twitter.

In addition to two-factor authentication I recommend everyone use a Password manager application such as Last Pass or 1Password for Mac users. These apps will generate and store your passwords for you in a secure file database. They provide an easy way for you to sync your encrypted database to all of your computers and devices by using a file sharing service like Dropbox.com.

It's 2014 folks, welcome to the new normal.