SMS Two-Step Authentication Now Live on

A couple of weeks ago, I posted about how Google and PayPal support two-step authentication on their services, allowing you to use your mobile phone to add an extra layer of security to your username/password login.

Today, some exciting news — we’ve announced on that we are adding SMS two-step authentication to our offering, as well as other text messaging features including comment moderation, theme change notifications, and post publishing notification.

Check out all the details on the announcement post on the news blog.

Two Factor Authentication

My introduction to two-factor authentication (aka “two-step” authentication), where you needed to enter in a unique code on top of your normal username/password, was nearly 10 years ago when I worked at a large publishing firm. Whenever I accessed the VPN when I was outside of the physical office, or when I accessed some critical internal system, I would get prompted for a code. We had these key “FOBs” we carried around which generated a unique code, and they were issued from RSA and looked something like this:

( Side note, I never knew why we called them a “FOB’ – but wikipedia provides a solid explanation: “The word fob may be linked to the low German dialect for the word Fuppe, meaning “pocket”, however, the real origin of the word is unknown.” )

The FOBs worked quite well, had a long battery life, and were reliable. I kept waiting for this technology to trickle down into consumer web application, online banking sites, and the like — but they never did. With the terrible password habbits that most people kept, it just seemed like a natural thing that these FOBs would one day make their way into our hands for non-work use. I just assumed that the price would dip to a point that banks would just send consumers these devices for free.

So clearly that prediction didn’t happen, but fast forward 10 years, and I use my mobile phone/SMS for two-factor authentication without the need for the extra FOB hardware. Services like Paypal (SMS option), and now Google Apps (SMS and mobile apps) offer two-factor authentication by sending an SMS text with a code or running a native mobile app that generates the unique code. Brilliant !

Overall, I think this is great, and a good trend, and that we’ll see this level of security baked into more and more web apps and services.