Dwight's blog
Google 2 step authentication - way too unwieldy

I have tried the Google two step authentication, and it is…a pain.  With several browsers and a couple operating systems on my laptop, it’s asking me to verify on SMS for every single one of them.  Not to mention on my other computers.

There’s a real need for this — if one’s account is compromised, in your email are lots of info on other sites you use such as ecommerce sites.  They likely have the same password so they are compromised too.  You might even have some credit card telltales in your mailbox if you aren’t too careful.

And compromises are easy.  With a botnet millions of automated dictionary attack attempts can be done and are hard to stop.

So this is very much needed but this implementation is has way too much friction.  There are better options and/or tweaks that are needed:

  • For example, show a photo and I click on a specific spot on the photo as part of authentication.  That’s easy to remember.
  • Or ask me a question to which I know the answer such as “what was your first pet”.
  • Don’t make me reverify over and over when I’m on the same IP address (it seems to do this and there is an argument for that, for example on a large company’s network everything may look like one IP, but in reality most threats in that situation are external anyway).

Some of these variants aren’t quite as strong but it is key that a large percentage of users have the feature on, and they simply will not as-is.

Posted 6 months ago
view comments
blog comments powered by Disqus