Tumblr Monday became the latest entrant in the trend toward two-factor authentication, offering up another level of access control to secure user sign-in.
Like other services, such as Twitter, Dropbox, Evernote, and Google that have instituted two-factor authentication, Tumblr is offering the feature as an option and not a requirement.
The company, however, is pushing users toward activation. "Your account is far less likely to get compromised if you've enabled two-factor authentication," the company wrote on its blog.
Twitter and Evernote added their two-factor authentication (2FA) options after hackers breached their networks and stole passwords. Tumblr clearly is not waiting for a similar fate in order to beef up its security.
Traditionally, interest in 2FA has not suffered at the hands of the technology, but from users who grow tired of the extra sign-in steps or lose hardware tokens that provide a second factor. Usability studies done by Google as far back as 2008 show that websites and enterprises consistently get feedback from users saying the process becomes annoying after repeated usage and the sign-in process becomes cumbersome.
Gunnar Peterson, managing principal at Arctec Group told ZDNet last year that two-factor authentication is "an incremental win, and it is generally good that [this interest in two-factor authentication] is happening." But he added that "initial authentication needs to get stronger."
Last year, a report by SplashData showed that "123456" was the most popular password used on the Internet.
For Tumblr users to get an extra measure of security, they will need their phone and a unique, single-use code that can either be sent to them via text or generated by an authenticator application. Tumblr recommends Google Authenticator, and says users should activate both options in order to ensure backup.
Tumblr users will need to activate the feature via the Settings menu on their Dashboards.
In the face of high-profile password thefts over the past year or so, two-factor authentication has emerged as one option for increased security that applies to a finite set of use cases. Other options, such as federated models that provide massive scale across sites are emerging like the UK's Identity Assurance (IDA) program, and the National Strategy for Trusted Identities in Cyberspace (NSTIC) in the US. Both are applicable to enterprises, governments, organizations, and cloud services alike. They are both part of a new cloud-era authentication infrastructure that is emerging.
After recent password breaches at Comcast, Kickstarter and Adobe, end-users are getting more in tune to alternatives like two-factor or federated identity. Of course, only time will tell if increased security becomes the default mentality of end-users, who have consistenly been the weak link in the chain.