Two Factor Authentication

My introduction to two-factor authentication (aka “two-step” authentication), where you needed to enter in a unique code on top of your normal username/password, was nearly 10 years ago when I worked at a large publishing firm. Whenever I accessed the VPN when I was outside of the physical office, or when I accessed some critical internal system, I would get prompted for a code. We had these key “FOBs” we carried around which generated a unique code, and they were issued from RSA and looked something like this:

( Side note, I never knew why we called them a “FOB’ – but wikipedia provides a solid explanation: “The word fob may be linked to the low German dialect for the word Fuppe, meaning “pocket”, however, the real origin of the word is unknown.” )

The FOBs worked quite well, had a long battery life, and were reliable. I kept waiting for this technology to trickle down into consumer web application, online banking sites, and the like — but they never did. With the terrible password habbits that most people kept, it just seemed like a natural thing that these FOBs would one day make their way into our hands for non-work use. I just assumed that the price would dip to a point that banks would just send consumers these devices for free.

So clearly that prediction didn’t happen, but fast forward 10 years, and I use my mobile phone/SMS for two-factor authentication without the need for the extra FOB hardware. Services like Paypal (SMS option), and now Google Apps (SMS and mobile apps) offer two-factor authentication by sending an SMS text with a code or running a native mobile app that generates the unique code. Brilliant !

Overall, I think this is great, and a good trend, and that we’ll see this level of security baked into more and more web apps and services.