Two-factor authentication in two years

Two-factor authentication requirements will be accepted by websites and end users at least to aid sensitive transactions, an analyst has predicted.
Written by John Fontana, Contributor

Within a couple of years, two-factor authentication is going to be unilaterally required by online service providers and accepted by users, at least for sensitive transactions, according to Forrester analyst Eve Maler.

Maler's prediction comes in the wake of breaches over the past 14 months that are exposing the underlying weakness of passwords.

"With the greater experience of banks starting to introduce [two-factor authentication] in a minimal way, and the greater experience of password breaches forcing people to undergo some pain, I think we are going to experience a sea change in strong authentication that consumer users will encounter for ordinary online interactions," said Maler.

"I see it the same way social logins became a federated single sign-on pattern we thought consumers would never go for," she said. In that case, many consumers have accepted using their Facebook, Twitter, or other credential to log in to other sites, for example games connected to Facebook or analytic applications connected with Twitter. Some enterprises have also adopted social logins as a low-level credential for initially authenticating users, most notably Bechtel and Boeing.

Maler acknowledged that adoption of two-factor authentication is not burning through the end-user population.

Sites such as Apple, Evernote, Amazon Web Services, PayPal, and Dropbox have recently made news by instituting a two-factor authentication option for their users. Sites like Google and Yahoo have offered it for some time. Adoption numbers, generally, have been perceived to be low, given usability issues and end-user indifference to security.

"The US market is less tolerant of that kind of friction than a lot of the other markets around the world where it is par for the course," said Maler.

Google uses a technique it calls two-step verification (2sv), a credential followed by a six-digit verification code delivered by various means. Publicly, Google will only say it has been adopted by millions of its users (PDF). But even 10 million users would be a single-digit percentage of users across its apps and social sites. The company claims its deployment is among the largest two-factor authentication deployments in the world.

Maler doesn't suggest that two-factor authentication is the solution to all authentication problems or should be used in all cases, but she said that recent real-world breaches and process for password resets show that these exercises are not the most pleasant experiences.

"So I am sticking my neck out and making a prediction for more tolerance of adding a factor here and there, at least at some times — say, when you are not on a trusted device," she said.

But she does think that while there will be some security gains, there will also be some conveniences lost — most notably something she calls "consensual impersonation". (More on her blog post).

Maler said that is when you share your credentials with another person, so that person can do stuff in your account as though they were you.

Maler admit some people are beginning to see these password breaches like a hard-drive crash — it happens. End users and even security pros can get desensitized.

"I think the turning point will happen when we see someone turn on two-factor unilaterally to protect some resource," she said. "Perhaps it's a bank at first where there is obvious transaction value."

Updated at 4.37 PDT, April 3, 2013

Editorial standards