Bill Gates in 2004 predicted the death of the password over time. “They just don’t meet the challenge for anything you really want to secure,” Gates said.
Ten years on, passwords haven’t gone anywhere and as the recent nude-celeb-pics-on-iCloud proved, the medium is still not up to muster yet is in widespread use in scenarios that didn't even exist when Gates was talking.
At this point, the naked celebs story looks like it was a case of human error – setting passwords that were relatively easy to break – as much as the technology itself being breakable.
In the wake of password breaches it becomes a scramble to remember which passwords you used on what sites. Humans are not programmed to remember super complex passwords of gibberish! Some less security-conscious people may resort to the trick of adding a 1 or a 0 to the password come renewal time.
Rather than blame the users, one could look at the length of password and argue that reuse is understandable, if not excusable. You were clever and kept a spreadsheet right? That in itself is an epic failure of basic security.
“There has to be an easier way?” I hear you scream. Yes, there is.
Two-factor authentication (TFA) was shoved into the spotlight by the naked-celebs story not least because Apple claimed iCloud already employed this technique, as we noted here, though, don’t let that put you off TFA – Apple wasn’t being entirely straightforward about the need for TFA on its cloud.
The fact remains, TFA remains a strong option for securing your web activities.
TFA for dummies – an overview
Simply put, TFA is based around the premise of using something you know – a password – and something you own – like a smartphone or the hardware token that some banks provide to users to gain access. TFA is perhaps the simplest method of attacking the password problem.
When both parts of the password and token information are paired together they give you a unique key that allows access to the device or resource in question. The system can be fairly sure that the person is who they say they are. The only downside, other than forgetting your phone or it having a flat battery is the question of what is supported. Any services you want to use will need to support TFA and also the type of TFA you want to use.
There are several variations to choose from. Interchangeable it is not. This is not such a problem for large companies with established IT services and established centralised management, as well as the will and means to add relatively expensive security infrastructure.
TFA is also widely used to secure VPN access and the devices inside a network going over the internet. On the individual level for securing mildly important stuff such as e-mail, Google and Microsoft provide TFA for a number of their services, including e-mail and it works well for the most part. You can even install TFA onto your Ubuntu box and use Google's TFA application if you wish.