People who work with Internet security have for some time advocated the use of “two-factor authentication” instead of a simple password control over access to sensitive or private information. Nobody likes to make things harder than we think they need to be, however, so adoption of two-factor authentication has been fairly limited. But last week, that may have begun to change, as Microsoft announced that two-factor authentication will be available (though not necessarily required) for all Windows products and services.
- Microsoft rolling out two-factor authentication across its product line (ZDNet/Mary Jo Foley) “Two-factor authentication is aimed at reducing the likelihood of online identity theft, phishing and other scams because the victim’s password would no longer be enough to give a thief access to their information. Apple, PayPal, Google, Facebook and other vendors already have implemented two-factor authentication.”
- Microsoft Account gets more secure (Official Microsoft Blog) “This release enables optional two-step verification for your entire Microsoft account. Two-step verification is when we ask you for two pieces of information anytime you access your account — for example, your password plus a code sent to a phone or email on file as security info. More than a year ago, we began bringing two-step verification for certain critical activities, like editing credit cards and subscriptions at commerce.microsoft.com and xbox.com, or accessing files on another one of your computers through SkyDrive.com. For these scenarios, two-step verification is required 100 percent of the time for everyone, given the sensitive nature of these tasks.”
- Apple ID: Frequently asked questions about two-step verification for Apple ID (Apple Support) “Two-step verification simplifies and strengthens the security of your account. After you turn it on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key.”
- AP Twitter hack sends stock market spinning (New York Magazine/Kevin Roose) “In my opinion, there is really only one lesson from this afternoon’s flash-crash: namely, Twitter needs multi-step authentication for verified and/or news-breaking accounts now. Twitter has gotten calls for stronger security measures for years, and it’s always been pretty reluctant to promise anything. (Last year, the company would say only, “We’ve certainly explored two-factor authentication among other security measures, and we continue to introduce features, such as https, to help users keep their accounts secure.”) But after today’s data point, it can’t wait any longer.”
Good two-factor authentication combines a Knowledge Factor (something the user knows) with a Possession Factor (something the user has).