Win a copy of Spring Boot in Practice this week in the Spring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

2-factor authentication

 
Ranch Hand
Posts: 1491
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What is best way to implement 2-factor authentication for Enterprise apps ?
 
author
Posts: 23926
142
jQuery Eclipse IDE Firefox Browser VI Editor C++ Chrome Java Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

kri shan wrote:What is best way to implement 2-factor authentication for Enterprise apps ?



In my opinion, as a user, I like the mobile phone the best. This could be either via a smart app or even by texting. The reason I like the mobile the best, is because there is a higher chance that someone would actually carry their mobile phone versus some sort of key fob.

Henry
 
Sheriff
Posts: 17031
298
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Mobile phone as 2FA can certainly be convenient but I don't know if it's the best. If you're worried about security then there's a balance you have to strike between convenience, the risk of losing control of the authentication factor (dispossession), and the risk of making it difficult or impossible for an authentic user to access the resource (denial/loss of service).

With the mobile phone/device, you need to have connectivity. If you're in a place where it's not possible or difficult to get mobile service, then you essentially are not in possession of the 2nd factor you need to authenticate. Or your cell phone may simply have been dropped in the toilet and is on the fritz. Also, what if someone steals your phone?

I think in the end. you have to weigh your options and carefully evaluate how much risk you're willing or can afford to assume for the sake of convenience. I think there are many who still don't even activate 2FA for services like GMail because they're not willing to give up the convenience that just having 1FA gives them. That's probably because many people don't feel they have much to lose even if their email account gets compromised. At worst it will be a little inconvenient for a few days. If the email account has sensitive information, however, I'm sure it's more likely that 2FA is activated on that account. It's even more likely to be the case to have 2FA or MFA (multi-factor authentication) if we're talking about resources like bank accounts, or documents that have implications on a nation's security, or a company's competitive advantage.
 
Henry Wong
author
Posts: 23926
142
jQuery Eclipse IDE Firefox Browser VI Editor C++ Chrome Java Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Junilu Lacar wrote:I think there are many who still don't even activate 2FA for services like GMail because they're not willing to give up the convenience that just having 1FA gives them.



I use two factor authentication on gmail, and honestly, it is not inconvenient at all. For private computers, such as home or work, it only needs to be done once. If you say that the computer is safe, then the computer itself becomes one of the factor of authentication -- meaning someone has to break into your house (and know your passwords) in order to use the account.

It would probably be inconvenient for public computers, such as in an internet cafe, but I don't use those.

Junilu Lacar wrote:That's probably because many people don't feel they have much to lose even if their email account gets compromised. At worst it will be a little inconvenient for a few days.



I don't think that it is as simple as just comparing the value of the data versus convenience. I had my yahoo account broke into many years ago. It didn't have any sensitive information (or at least, I don't think so). And it was only a little inconvenient for a few days... just like you described.

On the other hand, I also felt a little bit violated. I felt embarrassed that all of my friends got spammed. I become a like bit paranoid, and changed the passwords to something that I could not easily remember (and annoying to use) -- and changed it more often. Etc.

Henry
 
author & internet detective
Posts: 41185
848
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Junilu Lacar wrote:With the mobile phone/device, you need to have connectivity. If you're in a place where it's not possible or difficult to get mobile service, then you essentially are not in possession of the 2nd factor you need to authenticate.


My first choice is the Google Authenticator app on my iPad. It doesn't require internet connectivity to work.

Junilu Lacar wrote:Or your cell phone may simply have been dropped in the toilet and is on the fritz. Also, what if someone steals your phone?


I have backup codes for gmail. For others, it could be a problem.
 
Henry Wong
author
Posts: 23926
142
jQuery Eclipse IDE Firefox Browser VI Editor C++ Chrome Java Linux Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jeanne Boyarsky wrote:

Junilu Lacar wrote:Or your cell phone may simply have been dropped in the toilet and is on the fritz. Also, what if someone steals your phone?


I have backup codes for gmail. For others, it could be a problem.



It is a problem in terms of inconvenience. It is *not* a problem in terms of security. Whoever stole your phone will still need the phone's passwords to get to the key fob. And even if the key fob is accessible, it is only the second factor of the authentication. They will have to start trying to break the first factor of the authentication.

Now, you can argue that the thieves could have broken the first factor before stealing your phone -- which arguably makes texting better than a key fob app, even though connectivity is needed... but this scenario is getting really far fetched.


Anyway, assuming they need to break the first factor, this should give you plenty of time to contact your bank (or whatever organization the authentication is protecting) to disable and reset everything.

Henry
 
Junilu Lacar
Sheriff
Posts: 17031
298
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There are a lot of things that can happen when your phone gets stolen. If you are a fairly paranoid user, you probably have a screen lock in place. You probably have some kind of anti-virus app running and other software-based security measures. However, since the thief has physical possession of the phone, he can get to your SIM card. He can get to your memory card, if your phone is equipped with one. Mine is. All it would take to break security and access the photos on my memory card is popping it out, putting it in an adapter, and plugging that into a regular PC. Now, since I don't have any compromising pictures on my phone, I don't worry too much about this. But what if you did? What if you stored sensitive documents on that device and kept them in the removable memory storage instead of the phone's built-in memory? Not good.

Henry Wong wrote:I don't think that it is as simple as just comparing the value of the data versus convenience.


You're right, it's not that simple: Security vs Usability is a major consideration.
 
reply
    Bookmark Topic Watch Topic
  • New Topic