ANY form of 2FA is better than none. Google's effort to bring the mainstream into authentication here is laudable but, in my opinion, flawed. This is a convoluted process that requires multiple steps, a smartphone (shockingly, half of all phones in the US are still standard "feature" phones) to read the QR code and some agility to read the code properly.
The flaw is based on the fact that in a battle between security and convenience, convenience wins. If users are forced into multiple steps to complete they'll simply turn that option off or go elsewhere.
A 2FA method that is more secure uses a cell phone and text messaging but displays an alphanumeric code on the web page instead of a QR code and simply has the user text in the code from the cell phone which has been pre-registered and associated with that ID and password. When this approach is taken there is no open field on the web page to be hacked and the cell phone cannot be spoofed due to the UDID requirements and check at the carrier level.
It seems unlikely that any of Google's QR code process is as simple to the user as just sending an SMS from their phone. Simple, fast and less hackable than other available methods.
Finally, while this method is possible for a company with Google's resources it doesn't allow for downward scalability for smaller businesses. Implementation of security measures for SMEs is a hurdle to most methods. There's no conceivable way that Google's method could be transportable to smaller companies with any ease.
Scott Goldman
CEO - TextPower, Inc.
Discussion on:
Message 4 of 1
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
