Two factor authentication services for personal accounts?

LonghornSecurty

Junior Member
Apr 3, 2014
4
0
0
Hi AnandTech, I am a student at the University of Texas working on a project studying the market for two factor authentication services.

It seems like two factor authentication could solve many current security problems, however people don't use it because it is cumbersome. I made a survey to find out more about who uses two factor authentication services and why or why not.

If you can help me out with the survey, I would be very appreciative.

Here is the link: https://utexas.qualtrics.com/SE/?SID=SV_71HkkeMVp7iCLf7

Thanks again!

:awe:
 

John Connor

Lifer
Nov 30, 2012
22,757
619
121
Just took the survey and there were two questions which were multiple choice I couldn't click. Could be due to my security add-ons in Pale Moon.
 

nickbits

Diamond Member
Mar 10, 2008
4,122
1
81
Just took the survey and there were two questions which were multiple choice I couldn't click. Could be due to my security add-ons in Pale Moon.

I think you were supposed to drag and drop the rows into order. That's what worked for me anyway.
 

seepy83

Platinum Member
Nov 12, 2003
2,132
3
71
I'm not sure what two factor auth. is. Is that like my bank where I enter a user name, then a secret question then a password? The encryption changes from AES to RC4.

Edit- looks like it's called multi factor Auth. http://en.wikipedia.org/wiki/Two_factor_authentication

So my bank does do this!

A password and then the answer to a secret question are both "something the user knows", so it's not really a traditional 2-factor authentication scheme. Password and secret answer is basically "password and password".

Examples of two factor would be:
"Something you know" (password) and "Something you have" (smartcard, token, etc)
"Something you know" and "Something you are" (biometrics)
"Something you have" and "Something you are"

More recently, there are systems that can also use "somewhere you are" (geographic location)...at least according to (ISC)^2 when I took the CISSP exam a couple of years ago. I don't know how frequently this is implemented, and I assume it has only been used (up until now) by very high-security organizations. When I was studying this, they were literally talking about systems that checked the location via GPS of a user attempting to authenticate. (in other words... "if you are physically located within these boundaries (country, state, city, office park, whatever), then you can authenticate...if you're somewhere else, you're not getting in even if you know everything else required to authenticate).
 
Last edited:

John Connor

Lifer
Nov 30, 2012
22,757
619
121
Facebook is like that. I had my VPN on that was out of the UK and I forgot, tried to log into Facebook and I couldn't. Had to do some confirmation crap for facebook to log me in. But changing IP addresses based in the U.S doesn't affect it.
 

LonghornSecurty

Junior Member
Apr 3, 2014
4
0
0
Thanks everyone for the great replies to the thread and taking the survey.

@John Connor: I am sorry that the "reorder the list" question wasn't clear. We can look into that for any follow-up surveys that we perform using the qualtrics utility.

@seepy83
Thanks for clearing up the multifactor-authentication definition. One of the developments in the market that has been really interesting is the move to "somewhere you are", which (as far as I am aware) is just a clever repackaging of "something you have" using a device with geolocation.

Thanks again for taking the survey and helping out!
 

seepy83

Platinum Member
Nov 12, 2003
2,132
3
71
One of the developments in the market that has been really interesting is the move to "somewhere you are", which (as far as I am aware) is just a clever repackaging of "something you have" using a device with geolocation.

It's not a repackaging of "something you have", like a smartcard, token, key fob, etc. You can "have" a device that reports your location to the authentication service, but if you aren't in an authorized location then you cannot authenticate. It's a completely different factor than something you have.
 

LonghornSecurty

Junior Member
Apr 3, 2014
4
0
0
It's not a repackaging of "something you have", like a smartcard, token, key fob, etc. You can "have" a device that reports your location to the authentication service, but if you aren't in an authorized location then you cannot authenticate. It's a completely different factor than something you have.

Gotcha. Thanks for clearing that up!
 

Fardringle

Diamond Member
Oct 23, 2000
9,200
765
126
For the slider bar question, do you want to know how severe (important) we consider the types of breaches to be, or how likely we think they are to happen?

For example, a bank breach or identity theft are the most severe, but also the least likely to happen to me (because I pay more attention to them). I don't really care a whole lot about losing my email/social media accounts, so I don't use nearly as much security with them and they are therefore more vulnerable to attack.
 

LonghornSecurty

Junior Member
Apr 3, 2014
4
0
0
For the slider bar question, do you want to know how severe (important) we consider the types of breaches to be, or how likely we think they are to happen?

For example, a bank breach or identity theft are the most severe, but also the least likely to happen to me (because I pay more attention to them). I don't really care a whole lot about losing my email/social media accounts, so I don't use nearly as much security with them and they are therefore more vulnerable to attack.

Thanks for the interest Fardringle. That question is asking how concerned that it will happen to you. If you don't mind, just focus on the risk associated with the account and not the severity of the breach affecting your life.

That is a great point though, it hadn't occurred to me to include a question to identify how attached to different personal accounts people might be. Thanks for the feedback!