Security versus access – the balance between usability and security.

ECLAT Tech Scales Balancing Security and UsabilityOn a recent morning I logged into my online bank account and noticed the following message :

Beginning Nov. 2, we will no longer support the delivery of Secure Access Codes to email addresses. You can still have Secure Access Codes delivered by phone call or SMS/text message, just as you can today. To update Secure Access Code delivery locations go to Settings > Security Preferences.

As a translation, that means that they would no longer be sending emails with the secure codes to access a bank account. Why? It’s because that code is typically sent when a new computer logs onto the account. So, if someone has stolen a device, and that device has the email account pre-saved and automatically logging on, then having the code sent to your email leaves your bank account (or credit card, retirement account, line of credit etc.) vulnerable. In short order, a thief can take ownership of your account and do with it what they will.

Two Factor Authentication

To help reduce this risk, when you login to a new computer (or the system thinks it is new), a code is sent to a separate device, which adds another “factor” to the login process – hence the name, “Two Factor Authentication.”  Adding this factor introduces the idea being that, hopefully, the other device isn’t stolen (or hacked into) as well, or is locked with a separate set of authentication. In the ever changing world of security, this second factor is a pretty good idea, and it has saved people’s data, and even bank accounts. That said, there are, of course, problems.

Reduced Accessibility

In the world of technology, there are basically two driving forces – usefulness, and safety.  Ultimately safety is intended to improve usefulness, but, especially during the development stages, the two can clash and, when they do, the impact on usefulness can diminish the adoption of the technology. This is especially true of two factor authentication, which immediately assumes that you actually HAVE two separate devices. Setting aside those who strictly use mobile platforms, there is a whole world full of people who don’t have mobile devices. These groups include the elderly, those with disabilities that preclude the use of mobile devices, new immigrants, and the most socio-economically disadvantaged in society. All of these groups are actually harmed, not helped, by two-factor authentication.

So, when you think it’s just plain annoying to have to wait until a text message appears on your phone, imagine someone who either doesn’t have one, or who can’t physically manipulate one, even if they did.

Options

Those people who are faced with this conundrum do have options – but it takes some preparation, and tends to decrease the effectiveness of two factor authentication. The first step is to set up a phone number on a platform that allows for email forwarding of SMS messages, like Google Voice, for example. Next is to add this account to the online banking setup, and use it for the two-factor authentication. Now, when text messages with codes are sent, they arrive via email, just as they always did. It’s not as secure, but, given the option between using the account and, say, paying for a wheelchair accessible ride to the bank, this is probably the way to go. Just remember to use an email platform that supports decent security, and a password that doesn’t just use words you can find in the dictionary.

Flawed Logic

Two-factor authentication isn’t perfect, but it is a useful method of decreasing unauthorized access to accounts. Still, it is based on some flawed logic, some of which I have already discussed, but the most obvious one is this : mobile device access. The basic premise of two-factor authentication is that there are two separate devices involved in the process. But, for the majority of young people today, almost all activity is performed on a mobile device, whether it’s making phone calls, sending text messages, watching YouTube videos – or online banking. Since smart phones have the ability to use a web browser, this makes it possible to generate the secure code request on the same device that receives the message. If that device doesn’t have a password, pin or other mechanism to secure it against unauthorized access, or if the SMS messages themselves can be viewed even when otherwise locked, the entire multi-factor authentication mechanism breaks down.

What do I do?

So, you know that there are workarounds, and flaws, so, you may be asking yourself “what do I do?” As crazy as it may seem, I still believe there are distinct advantages to two-factor authentication. Ultimately, though, you’ll have to decide for yourself, on a case by case basis. The world of technology is complicated, and the see-saw between usefulness and security will continue to tip back and forth. Add in devices like smart TVs, network backups, and internet capable lights and thermostats, and all of a sudden things become much more complicated. When it becomes too much, that’s when it is time to call in an expert for a consult. Find one near you that you can trust on an ongoing basis – because this isn’t going to get any easier, or less confusing, anytime soon.