Something you know and something you have

Data protection is obviously a very important issue and companies that encourage us to use their services to store our data must take security seriously. Two-factor authentication has been developed to offer greater security. I have heard two factor authentication described as something you own and something you know. Cute and easy to remember, but the operationalization translates as “you know your password” and you “own your phone”. In concept it works like this, once you turn two-factor authentication on, your existing services are immediately disabled. You now must use the two factors to activate them again. So, instead of using your password which is initially rejected, you use a code (a number) that is sent to the SMS system on your phone when your password fails.

Here is my problem with this system. It seems designed by engineers with little insight into how real people actually use devices. It first assumes you have a smart phone (there is a way around this, but the way around makes the process even more complicated). Second, it is not system wide approach and must be completed for each device. My situation involved authenticating (so far) on my phone, two iPads and a Nexus 7, three lap tops and three desktops. This may be a little extreme, but not really. I have equipment purchased for me by my university and equipment I have purchased for my personal use, etc.

It gets worse. I commonly use Google apps through a browser. For a time, I had to authenticate each time I opened the browser. This was a hassle because I am not one of those tech guys who carries my phone or enjoys doing all possible things with it. The issue here concerned my phone settings. As a security measure (I use so many different devices – mine and public), I had my browser set to delete cookies when I shut down. Hence, the engineer’s solution of permanence was to set a cookie. So, I changed this permission and this seemed to fix the problem with browsers. It is kind of funny though, don’t you think, to address a security issue by eliminating a security precaution?

OK, so you authenticate once using something you have and you use your password (something you know) each time and you have a cookie set and this fixes the browsers (once for each one by the way). Then there are your apps. Apps don’t set cookies (I don’t think) so this process will not work for apps. Google has apps. What were they thinking?

There is a completely different system for apps. Instead of the app sending a message to your phone and setting a cookie, you request an app-specific password using your device and you are sent a 16 element password to enter. You destroy any evidence of this display. Then, the app works. Again, repeat with all devices.

OK – perhaps there is a better way and I don’t understand. However, what I have described here works, but was labor intensive.

I am concerned. I am heading to Russia for three weeks. I value security, but I also do not intend to take my phone. I know there is a way to request multiple codes I can take with me (printed on a piece of paper in my bill fold). I keep thinking there must be a better way.