Stories
Slash Boxes
Comments

SoylentNews is people

How To Make People Sit Up And Use 2-Factor Authentication

posted by chromas on Thursday March 07 2019, @05:40AM   Printer-friendly

Arthur T Knackerbracket has found the following story:

In a presentation at this year's RSA Conference, taking place in San Francisco this week, Dr L Jean Camp, a professor at Indiana University Bloomington in the US, and her doctoral candidate Sanchari Das, detailed their research into why people aren't using Yubico security keys or Google’s hardware tokens for multi-factor authentication (MFA).

For those who don't know: typically, you use these gadgets to provide an extra layer of security when logging into systems. You enter your username and password as usual, then plug the USB-based key into your computer and tap a button to activate it. The thing you're trying to log into checks the username and password are correct, and that the physical key is valid and tied to your account, before letting you in.

That means a crook has to know your username and password, and have your physical key to log in as you. We highly recommend you investigate activating MFA on your online accounts, particularly important ones such as your webmail.

What the pair found during their research work derails any previous assumptions that the lack of MFA uptake is because people are stupid, or can't use the technology. What it comes down to is education and communicating risk.

Original Submission

 
This discussion has been archived. No new comments can be posted.
How To Make People Sit Up And Use 2-Factor Authentication | Log In/Create an Account | Top | 43 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by aristarchus on Thursday March 07 2019, @06:00AM

    by aristarchus (2645) on Thursday March 07 2019, @06:00AM (#811045) Journal

    A workplace I happen to work at recently extorted us into using this shit. Otherwise, we would not be paid, as they could not know who we actually were. This, to me, exposes a massive lapse of competence on the part of our Administration (believable), or a insidious intent on the part of our Administration (believable, despite Hanlon's razor). So, here we are. To access somethings essential to my job, I need the MFA. But for others, seemingly the same, a username and password still suffice. What worries me, is that my employer has the gall to suggest that I link my Personal Cellular Phone number to this dastardly MotherFrackingAuth system. My phone Number? Well, Employer, if that is who you truly are, you already have my phone number on file. Or is it that the "emergency contact" list cannot be released to the FaceBooks and Googles (who by the way have managed to take over our email system. What kind of pathetic organization (university) cannot manage its own email server?), because of Laws and "reasons"?

    I am a 97 year old woman on Facebook. My birthday is April first! You would think they could figure out that I am a 2400 year old Greek philosopher, without having to have my actually cell phone number, which, by the way, is (800)367-867-5309. Call me, telemarketers! I would love to hear from you!

    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Funny=1, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4