In a presentation at this year's RSA Conference, taking place in San Francisco this week, Dr L Jean Camp, a professor at Indiana University Bloomington in the US, and her doctoral candidate Sanchari Das, detailed their research into why people aren't using Yubico security keys or Google’s hardware tokens for multi-factor authentication (MFA).
For those who don't know: typically, you use these gadgets to provide an extra layer of security when logging into systems. You enter your username and password as usual, then plug the USB-based key into your computer and tap a button to activate it. The thing you're trying to log into checks the username and password are correct, and that the physical key is valid and tied to your account, before letting you in.
That means a crook has to know your username and password, and have your physical key to log in as you. We highly recommend you investigate activating MFA on your online accounts, particularly important ones such as your webmail.
What the pair found during their research work derails any previous assumptions that the lack of MFA uptake is because people are stupid, or can't use the technology. What it comes down to is education and communicating risk.
(Score: 2, Troll) by Rosco P. Coltrane on Thursday March 07 2019, @06:01AM (9 children)
People don't like two-factors auths because they're lazy. They already have a hard time remembering something more complex than "qwerty123", and don't want to have to use a physical device on top of that. Remembering something AND moving their fingers? Too much work...
(Score: 1, Interesting) by Anonymous Coward on Thursday March 07 2019, @07:17AM
No, it is more a matter of trying to enforce real identity logons, as Facebook has been trying to do. Once who you are on the internets is who you really are, well, Runaway is toast, for one. And several others, of the far-right extreme libertariantard persuasion, who claim to value their privacy.
(Score: 2) by c0lo on Thursday March 07 2019, @08:44AM (1 child)
Or maybe those who implement them are too lazy to do it right [soylentnews.org]
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Friday March 08 2019, @08:59PM
and many of them are just thinly veiled data mining operations. fuck them.
(Score: 3, Insightful) by PiMuNu on Thursday March 07 2019, @09:38AM (4 children)
Two reasons:
* Just plug in this dongle from .
* while $N > 0: plug in dongle from ; $N++;
(Score: 2) by FatPhil on Thursday March 07 2019, @02:59PM (2 children)
In the past, banks would let you use either their in-house 2-factor security (I use a RSA-style PIN generator, but mobile phone-based ones are available for those with the right phones), or the official governmental ID card. The logic being that if it's secure enough for the government to trust you to submit tax returns and sign company accounts, it's secure enough to do banking operations.
However, in a bold step forward, the government has said that they would now let you use either their in-house 2-factor security - the forementioned national ID card - or an approved bank's authentification mechanism (PIN generator or mobile-id) for authentication/identification purposes (alas not for signing). The logic being that if it's secure enough to permit the emptying of bank accounts, it's secure enough to fill in tax returns.
The bloody ID card doesn't work on my computer (fuck Java!), so I always had to go round to other people's places (typically the local pub!) to do official governmental business, but now I can use my bank fob I'm freed from that palaver.
Anyway, I've gone from needing two "things you have" to one thing you have, I can chose which one I want to have with me at any time.
All online stores here have historically accepted either bank or governmental authintification, so it's true for almost anyone doing anything - nobody needs more than one "thing" any more. (Most use mobile-id on their phone, I believe.)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Interesting) by PiMuNu on Thursday March 07 2019, @04:17PM (1 child)
Interesting, they tried such a thing in the UK, but the implementation is so terrible that no one (including government departments) wants to use it...
(Score: 3, Interesting) by FatPhil on Friday March 08 2019, @12:45PM
People sometimes ask me why I left the UK 2 decades ago - it's because I saw the future.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by PiMuNu on Thursday March 07 2019, @04:14PM
Should have read Just plug in this dongle from $CORPORATE_OVERLORDS. I used angle brackets!
(Score: 0) by Anonymous Coward on Friday March 08 2019, @12:44AM
People don't like 2FA because they only have to lose their dongle and they have effectively locked themselves out of everything. Oh I know you are supposed to double down and buy TWO 2FA tokens and drop one in a safe so that can't happen. Until it does. I used 2FA with the Authy phone app and then my phone died. While I waited for my new phone, I was locked out. I couldn't install the app and activate it on my tablet because it NEEDED THE FUCKING PHONE to send me a verification SMS message. Since I didn't have a spare phone just lying around to swap out my SIM, I was screwed.