Two factor authentication is a trade-off between security and convenience


Twitter simplifies two factor authentication but it still requires working phone

Twitter simplifies two factor authentication but it  requires a working smartphone

There is often a trade-off between security and convenience. For example, many houses have two locks — a regular door lock and a bolt lock. If you use both of them you have a bit of extra security but it will take you slightly longer to enter your house.

The same is true with the locks that protect our online accounts. It would be really easy to access our Twitter, Facebook, Gmail and even our online bank accounts with a simple password like “password,” but that would be practically like leaving your front door unlocked. On the other hand, there are lots of ways to make it more secure, but those methods typically come with varying degrees of inconvenience.

In May, Twitter started offering users an optional way to make it harder for intruders to break into their account but it also makes it a bit harder for you to sign-on. It’s called “two-factor” authentication and — initially — was similar to methods used by Facebook and Google.

Two-factor authentication is a bit like an ATM card — you have a physical card and a secret personal identification number (PIN). Used together, they let you take money out of your bank account. Without the card, the PIN is useless and vice versa.

Better have a working cell phone handy

There are a variety of ways to implement two-factor authentication but the ones used by Twitter, Google and Facebook all require that you have your mobile phone handy and it better be working and in range. The system introduced by Twitter in May sends you a text message with a special one-time-only code when you try to log on.

That process not only adds an extra — and possibly time consuming — step when you log on, but requires you have your phone with you and that the battery is not dead.

Google’s optional two-factor authentication also sends you a text message but you can configure it to ask for the code only if you’re logging on from different machine than you usually use. If your phone is unavailable or not working, another option is to use a long and complicated backup code that you’re almost certain not to remember.

Facebook calls its system “Login Approvals.” It, too, requires you have your phone with you if you’re using a different machine or browser than usual, and it, too, has an optional (10 digit) backup code to use if you’re phone isn’t available.

Twitter makes it somewhat easier

Twitter last week introduced a new version of its smartphone app designed to make two-factor authentication a bit easier. It now uses “push messaging and in-application approvals,” so you no longer need to provide a phone number or rely on a text message. Once you activate it, every time you try to log on to Twitter you get a message saying “we’ve sent a login verification request to your phone.” You then have to launch the Twitter app on your phone and click on a relatively obscure message. Like the text message solution, it requires your phone to be in reach, charged-up and in-range.

When I turned on the new settings, I didn’t have any trouble getting into my account. But Los Angeles Times reporter Paresh Dave experienced a flaw in the system that caused him to write, “Twitter effectively locked me out.” A Twitter spokesperson told me on Wednesday that that was a bug their engineers were working to fix.

While the new Twitter system may be a bit easier to use than the older text message method (which is still available), it remains a bit of a hassle. The biggest problem, of course, is if your phone isn’t working. That backup code solution that Twitter, Facebook and Google use will get you in but only if you can remember it or find it. It’s unlikely most people will remember that random string of digits, so if you ever do find yourself with a dead or missing phone, you had better have that code handy. One solution, I suppose, is to write it on a piece of paper and keep it in your wallet, but that brings up yet another security issue if your wallet was ever lost or stolen. If you go that route, don’t write the name of the service next to the code.

Another option is to contact Twitter’s support team, which, according to a Twitter spokesperson, has ways to authenticate you and get you back in. But it’s not going to happen instantaneously.

As problematic as these phone solutions are, they’re easier and cheaper than many other forms of authentication, such as having to carry around a separate device that generates a random key every time you log in. Biometric methods, such as retinal scans, finger print readers or even face or voice recognition have their strengths and weaknesses as well.

More work needed

I applaud these companies for finding ways to improve security, but I sure hope they keep working to find better and less obtrusive ways to let us — and only us — into our accounts without having to make us jump through too many hoops.


This post is adapted from a column that first appeared in the San Jose Mercury News