Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Thursday March 07 2019, @05:40AM   Printer-friendly

In a presentation at this year's RSA Conference, taking place in San Francisco this week, Dr L Jean Camp, a professor at Indiana University Bloomington in the US, and her doctoral candidate Sanchari Das, detailed their research into why people aren't using Yubico security keys or Google’s hardware tokens for multi-factor authentication (MFA).

For those who don't know: typically, you use these gadgets to provide an extra layer of security when logging into systems. You enter your username and password as usual, then plug the USB-based key into your computer and tap a button to activate it. The thing you're trying to log into checks the username and password are correct, and that the physical key is valid and tied to your account, before letting you in.

That means a crook has to know your username and password, and have your physical key to log in as you. We highly recommend you investigate activating MFA on your online accounts, particularly important ones such as your webmail.

What the pair found during their research work derails any previous assumptions that the lack of MFA uptake is because people are stupid, or can't use the technology. What it comes down to is education and communicating risk.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday March 08 2019, @12:44AM

    by Anonymous Coward on Friday March 08 2019, @12:44AM (#811412)

    People don't like 2FA because they only have to lose their dongle and they have effectively locked themselves out of everything. Oh I know you are supposed to double down and buy TWO 2FA tokens and drop one in a safe so that can't happen. Until it does. I used 2FA with the Authy phone app and then my phone died. While I waited for my new phone, I was locked out. I couldn't install the app and activate it on my tablet because it NEEDED THE FUCKING PHONE to send me a verification SMS message. Since I didn't have a spare phone just lying around to swap out my SIM, I was screwed.