Two-factor auth and password managers

Internet

Happy Monday! Iain Thompson wrote this Register article, subtitled Your daily dose of ditigal depression:

In a presentation at Usenix’s Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

This isn’t surprising, not in the least. It’s easy to think everyone uses Keepass or 1Password and two factor auth when you do yourself; I’ll admit I still feel shock when I see people typing their short passwords directly into sites. But that’s the way the world works.

The crux of the issue is here:

Google has tried to make the whole process easier to use, but it seems netizens just can’t handle it.

Authentication can’t be solved by adding layers and hoops for people to jump through. Ditto education, and enforcing arcane password standards. People will invariably choose the path of least resistance, so for as long as something is optional, or more complex, most won’t use it.

SMS two factor authentication and password managers are billed as solutions, but at best they’re bandaids over a system that clearly, demonstrably, isn’t working.

And then for services like Gmail, there’s the larger point that never, never, never gets made. Sure you’ve protected yourself from outsiders with all these sophisticated technical measures, but threats against your privacy also originate from inside the building. It’s fine if you trust Google in this case, but the silence on this obvious corollary is palpable.

Author bio and support

Me!

Ruben Schade is a technical writer and IaaS engineer in Sydney, Australia who refers to himself in the third person in bios. Wait, not BIOS… my brain should be EFI by now.

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite cloud infrastructure provider.

You can leave me a comment by contacting me, and I might publish your thoughts. Please read the FAQs first though.

If you found this post helpful or entertaining, you can shout me a coffee or buy some silly merch. Thanks!