Back to Navigation


This is a transcript of 2Factor authentication, what it is and how it works.

Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it's Phil Brown and I'm here with David Whelan. Today we are going to talk about 2Factor ID and OpenID.

DW:  2Factor ID is something you are already familiar with if you use a bank card and ATM. 2Factor requires you to have two things to present to authenticate yourself as being the owner of an account. In the case of a bank, these are usually a card and a PIN. You put the card in the machine, you type the PIN into the machine, 2Factor authenticates you and you are ready to go. If you do not have one of those pieces, you cannot go forward. We are starting to see more and more 2Factor authentication available on the web and it is making it safer, in most cases, to protect your accounts if you can turn on 2Factor authentication on your online services.

PB:  Right. The reason is because passwords alone will not protect you.

DW:  Right.

PB:  After you put in your password remotely for your email system or Dropbox (if you happen to be using that) it then comes back to you and says, "Okay, that's great. We're going to send you a number or you're going to have access to another number, which you're then going to have to put in, and then we'll let you into that account."

DW:  It gets you past the issue of: Do you have strong passwords or not? A lot of people still do not have strong passwords - they are using weak passwords. But even if you are using strong passwords and password managers and all that good stuff, 2Factor authentication gives you a little bit more protection in case either that password is divulged or discovered through a brute force attack or something along those lines, or worse, what has happened to a number of people - prominent journalists - where they were socially engineered. Not the journalist or the person who owned the account themselves, but the people who worked for the customer service for the particular web service. Someone calls in and says they have lost their account, and they are able to answer enough questions based on information from the web that they are able to get past that password block by itself. 2Factor authentication would then send out a request or a notification saying, "We need this extra piece of information, and that person wouldn't have it."

PB:  Right, and a strong password is a password that has lower case and upper case letters, numbers, symbols, spaces, things like that.

DW:  That's right. No one from your family, no children's songs.

PB:  No birth dates - that sort of thing. Even a strong password is potentially vulnerable to a so-called brute force attack, where someone is just, basically, plugged into your device or your system and is letting a computer run all the permutations and combinations of passwords.

DW:  Right. 2Factor authentication is still optional in many places. I do not know any sites that are actually requiring it that are typical consumer sites, but you will see it - you can turn it on for Google and Facebook and things like that. You can get a list of people who offer 2Factor authentication at That's T W O S T E P A U T, and that will give you a list of who has it and how they have implemented it.

PB:  Right. Just as an example, a lot of things that lawyers and paralegals might use, like Evernote, LinkedIn, Dropbox, Facebook, and things like that - they all have 2Factor authentication.

DW:  So how do you get two step or 2Factor authentication on the web? It is actually not that tricky, but it usually requires you to have a mobile phone. What happens is that you log in, and the mobile phone will receive a text with the second piece of information that you need to type in. Now, if you are a cheapskate like me, and I do not have a really good cell phone plan or cell phone coverage - and sometimes you just aren't in a place where you have that kind of coverage - you can have that code generated for you by downloading an app when you're on the web and then using it when you are offline. It will then generate the code that you need so that you can plug that code in, regardless of whether you have cell phone access, or in fact, your mobile phone with you.

PB:  So if you lose your mobile phone you are not lost completely.

DW:  Exactly.

PB:  You will still be able to get into all of your accounts by either getting on the web or using one of these offline tools.

DW:  Right. Their free Google authenticator works on most platforms, but you can find other ones. I think you use Authy, is it?

PB:  Authy, yes, and they are even available, as David says, across platforms. You can use them (usually the same app) for Blackberry, Android and Apple. They are quite versatile and very simple-to-use apps.

DW:  I think the use of these sorts of authentications is the next progression. We obviously had passwords in order to protect our accounts, then we went to strong passwords, which are now starting to be broken. I think the 2Factor authentication is the next step: if you are putting client files in the Cloud or emailing them, or storing them in your online email, having 2Factor authentication is a sensible extra precaution that does not cost you anything except a couple of extra minutes, maybe, as you authenticate in and out of your accounts.

PB:  And a number of these authentications will default to a paper list of codes as well. I know Gmail gives you that option - once you sign in to 2Factor authentication, it will generate a list of ten codes that you can just fold and put in your wallet and use them any time. If you do not have access to your app at the time, or you do not have access to your phone at the time, you still have a paper back-up list and can use each one of these ten codes once and be able to use your 2Factor authentication.

DW:  That's great because it is just like the bank idea, then. You have this paper thing and the password in your head, and you put them together to get access to your account.

PB:  Right.

DW:  Social login is the other part of how you can manage your accounts online. 2Factor authentication allows you to get in and out of your accounts, but sometimes you may not want to create a user name and password for every website you go to. In part, that just means more passwords for you to manage and to be aware of, but also some of the sites you are using may not be as rigorous at protecting your information - your user name and password - as you would expect. One of the ways you can get around that is to use websites that use the social log-in, often called OpenID, which is a version of the social login. Instead of creating a user name and password there, you reuse a secure and potentially, a two-step or 2Factor authentication service in order to get access to multiple websites.

PB:  OpenID has been around a long time, and usually people just kind of ignore it when it pops up. You will notice sometimes that if you are signing into a website, it will say on the side, "Hey, do you want to sign in with your Google password or your Yahoo! Password?" That is an example of OpenID.

DW:  It means that if you trust the person or the company that has that social login or that OpenID to protect your user name and password, it makes it a much easier process to then reuse it over multiple websites. Of course, if you want to, when you grant access or sign in with that user name and password typically it is logging that information in your original account. So say I log in with my account into another website. When I go back to my account it will show who I have authorized or who I have got a login with, and I can terminate that access, or terminate that connection whenever I want to.

PB:  Right, and OpenID is an open source-based software. Problems with that, or no?

DW:  Not really, so long as the provider who is providing the OpenID database is someone you would trust. The fact that the software itself is open source is not insecure, but if, I mean, I could open up Dave's Passwords N' Stuff and run my own OpenID server. I do not know that I would feel comfortable as a lawyer using someone who is so fly-by-night as David's Passwords N' Stuff. So I think if you are going to use OpenID, either use a provider like Google or someone large, or make sure you really understand who is behind the security for that OpenID account.

PB:  Right, because everyone trusts Google.

DW:  Absolutely.

PB:  I will say this: OpenID is huge. There are over 50,000 sites, apparently, that use OpenID. It is something you stumble across every day and it is almost invisible to most people.

DW:  Right. The social login, I think, has really changed how people use multiple websites. I notice it really only when the social login only asks for, say, Facebook, and I am not going to use my Facebook account to log in there, so I really only notice it when my social login is not part of the list.

PB:  Right. So that is our look at 2Factor ID authentication and OpenID. Thanks very much, David.

DW:  Thanks, Phil.

Terms or Concepts Explained