Two-factor authentication in two years

Two-factor authentication in two years

Summary: Two-factor authentication requirements will be accepted by websites and end users at least to aid sensitive transactions, an analyst has predicted.


Within a couple of years, two-factor authentication is going to be unilaterally required by online service providers and accepted by users, at least for sensitive transactions, according to Forrester analyst Eve Maler.

Maler's prediction comes in the wake of breaches over the past 14 months that are exposing the underlying weakness of passwords.

"With the greater experience of banks starting to introduce [two-factor authentication] in a minimal way, and the greater experience of password breaches forcing people to undergo some pain, I think we are going to experience a sea change in strong authentication that consumer users will encounter for ordinary online interactions," said Maler.

"I see it the same way social logins became a federated single sign-on pattern we thought consumers would never go for," she said. In that case, many consumers have accepted using their Facebook, Twitter, or other credential to log in to other sites, for example games connected to Facebook or analytic applications connected with Twitter. Some enterprises have also adopted social logins as a low-level credential for initially authenticating users, most notably Bechtel and Boeing.

Maler acknowledged that adoption of two-factor authentication is not burning through the end-user population.

Sites such as Apple, Evernote, Amazon Web Services, PayPal, and Dropbox have recently made news by instituting a two-factor authentication option for their users. Sites like Google and Yahoo have offered it for some time. Adoption numbers, generally, have been perceived to be low, given usability issues and end-user indifference to security.

"The US market is less tolerant of that kind of friction than a lot of the other markets around the world where it is par for the course," said Maler.

Google uses a technique it calls two-step verification (2sv), a credential followed by a six-digit verification code delivered by various means. Publicly, Google will only say it has been adopted by millions of its users (PDF). But even 10 million users would be a single-digit percentage of users across its apps and social sites. The company claims its deployment is among the largest two-factor authentication deployments in the world.

Maler doesn't suggest that two-factor authentication is the solution to all authentication problems or should be used in all cases, but she said that recent real-world breaches and process for password resets show that these exercises are not the most pleasant experiences.

"So I am sticking my neck out and making a prediction for more tolerance of adding a factor here and there, at least at some times — say, when you are not on a trusted device," she said.

But she does think that while there will be some security gains, there will also be some conveniences lost — most notably something she calls "consensual impersonation". (More on her blog post).

Maler said that is when you share your credentials with another person, so that person can do stuff in your account as though they were you.

Maler admit some people are beginning to see these password breaches like a hard-drive crash — it happens. End users and even security pros can get desensitized.

"I think the turning point will happen when we see someone turn on two-factor unilaterally to protect some resource," she said. "Perhaps it's a bank at first where there is obvious transaction value."

Updated at 4.37 PDT, April 3, 2013

Topics: Security, Cloud, Networking


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It depends on how it is implemented

    I have no problem with two-factor authentication so long as it does not require a text message to a cell phone. I don't use text messaging or web services on my cell phone; in fact such applications are blocked. My philosophy is that a phone is for phone calls, and I have no intention of paying extra money for a service I don't need. BTW, I am not a Luddite; I started programming in machine language over 45 years ago and am not scared of technology. It is a matter of economics.
    • Oh no, another $7.00/month "Service"!

      Right you are, oldnuke69. Two-factor authentication is one thing. A new round of internet startups trying to start another perpetual leak in my wallet is entirely another.
    • agreed

      Not only is there a cost with using a cell phone for authentication, but there are also privacy issues. I don't want that many people to have my cell phone number.
    • And what if you don't have a cell phone?

      There are actually still some people out there who don't, for whatever reason.
      • CaviarGreen .. very good point

        ..until Xmas last year, i hadn't had an active mobile for two years. I'm in the group who believes strongly that the EMR exposure is a mid-long term health hazard. I was nagged by family into getting one so they could keep in contact with me; but for the reason of family i'd still be without one.

        This is the problem with I.T folk: many's a time they exclude commonsense considerations when 'talking up' or let alone thinking up new tech'. Why assume because there's some technology you use or don't use, that it precludes another aspect or point of view from the R&D argument?

        The very real considerations for moving ahead - design & implementation-wise, has to take into consideration (as you rightly point out), those that choose not to use a cellphone. The numbers might fall in only a few thousand per country, but as any systems design person should know, all possible considerations regarding use-cases have to be considered. The 'few thousand', granted, may be a very small subset of any given population but they still need factoring into any systems analysis done leading into a full blown project to get two-factor authentication into the main stream.

        ...but i bet oldnuke knew that. ;P
      • works with landline phones too

        Google's two-factor authentication can call any phone number and have an automated voice recite the secret number.

        Works great.

        I have my home landline number registered with my Google account, and got authentication calls there when I got a new cellphone (texts were going to my old cellphone, and I had to login in order to change the settings to send texts to the new phone...!).
  • I do some limited security for web...

    Trust me when I say that some of it is about as air tight as a screen door. Further what was once considered very good is pointless as computers get more powerful. Now what if you were a crook and wanted to set up some multiple of computers 10, 100, 1000... The wait for making todays security look stupid just stepped it up to now. For < $1 million you could get 3 thousand computer years of cracking security every year.

    Also if someone programmed it, someone can crack it.
    • Not quite understanding the scale needed for brute force.

      "For < $1 million you could get 3 thousand computer years of cracking security every year."

      Okay, so you've got 3000 grains of sand. Less than a cubic centimeter, and you're trying to move the entire beach.

      "Also if someone programmed it, someone can crack it."

      Please do demonstrate for me the person that cracked 256 AES encryption.
  • implementation - some have it right, and some do not

    Google insists on text messages, and if I do not have text enabled - or if I prefer to tie my account to my ground phone number - tough luck.

    Chase, on the other hand, gives me a choice of text or voice (they will make an actual call, and I will pick up the phone, and hear the number).

    Guess who's implementation is more user friendly?
    • finally someone who's got a clue

      .. convenience and ease of use, for the end-user, always trumps flashier or more widespread technology.

      I'll also add, another key design factor, as i've already spoke of in another comment, is to consider all use-case scenarios .. for example, what of those who don't have or don't want a cellphone? A systems design that doesn't account for that would go dodo if, hypothetically: let's say, the CEO of a large corporation has to access his cellphone ..let's say, he left it on a table at Starbucks during lunch (and someone swipes it), and worse still, he needs it to access some vital, sensitive business info' directly after in a board meeting. In that scenario alone, for whatever reason, the phone interaction part of the equation is gone ... what then?

      Your point of contention and mine are equally valid systems design considerations ... let's hope the folk designing & later implementing the proposed systems don't overlook these important points.

      Frankly, there's *a lot* of water that needs to pass under the bridge before 2FA is street (..or bridge) ready.

      Good spotting, i score you +10
    • Google can do voice too...

      I've used it with my olde-style landline phone... :]
  • overly optimistic, perhaps.

    "Within a couple of years, two-factor authentication is going to be unilaterally required by online service providers and accepted by users, at least for sensitive transactions, according to Forrester analyst Eve Maler."

    Well, if I've ever learned anything, it's that Forrester has an incredibly poor track history. I don't know why you still use them.

    That being said, I do think that two-factor authentication is coming. Two years may be optimistic, though. Maybe for the largest, most visible sites, but for the entire internet it may take a good ten years.
  • What's the second factor???

    Okay, two-factor authentication sounds like a good idea, but what's the second factor going to be? The only one I see mentioned is a text to your cell phone. But I don't do texting, and texting is blocked on my phone. And lots of folks don't have cell phones. And I travel to places where there is internet but no cell coverage. I check my email etc., on a tablet via wi-fi, provided at these places, but the phone has no service. As far as social media, that seems a poor way to get the second factor, given how abysmal is the security history of social media sites.

    In principle, I wouldn't object to using a dongle, if it's cheap enough, except that phones and tablets typically don't have a USB port.

    So what's the second factor going to be for folks who don't have a cell phone or are traveling outside cell coverage areas, and using a device with no port to plug in a dongle?

    The above article blathers on about two-factor, without ever addressing the question of what the second factor is going to be for the very large number of people without cell phones.
  • Second factor choices

    Thanks for a good post, John. At Duo Security, we agree with Eve that multiple factors will become increasingly commonplace. Consumer acceptance is likely to rise in parallel with advances in flexibility mentioned by thx-1138 and others. There are solutions today that offer flexibility. The two-factor authentication options offered by Duo Security provide choices beyond the historical models. In addition to smartphones, we offer passcodes, SMS, phone calls and even tokens. Check us out.