Speaker Key: PB: Phil Brown,
DW: David Whelan
PB: Hi, it's Phil
Brown and I'm here with David Whelan. Today we are going to talk about 2Factor
ID and OpenID.
DW: 2Factor ID is something you are
already familiar with if you use a bank card and ATM. 2Factor requires you to
have two things to present to authenticate yourself as being the owner of an
account. In the case of a bank, these are usually a card and a PIN. You put
the card in the machine, you type the PIN into the machine, 2Factor
authenticates you and you are ready to go. If you do not have one of those
pieces, you cannot go forward. We are starting to see more and more 2Factor
authentication available on the web and it is making it safer, in most cases,
to protect your accounts if you can turn on 2Factor authentication on your
PB: Right. The reason is because
passwords alone will not protect you.
PB: After you put in your password remotely for your email
system or Dropbox (if you happen to be using that) it then comes back to you
and says, "Okay, that's great. We're going to send you a number or you're going
to have access to another number, which you're then going to have to put in,
and then we'll let you into that account."
gets you past the issue of: Do you have strong passwords or not? A lot of
people still do not have strong passwords - they are using weak passwords.
But even if you are using strong passwords and password managers and all that
good stuff, 2Factor authentication gives you a little bit more protection in
case either that password is divulged or discovered through a brute force
attack or something along those lines, or worse, what has happened to a number
of people - prominent journalists - where they were socially engineered. Not
the journalist or the person who owned the account themselves, but the people
who worked for the customer service for the particular web service. Someone
calls in and says they have lost their account, and they are able to answer
enough questions based on information from the web that they are able to get
past that password block by itself. 2Factor authentication would then send
out a request or a notification saying, "We need this extra piece of
information, and that person wouldn't have it."
Right, and a strong password is a password that has lower case and upper case
letters, numbers, symbols, spaces, things like that.
DW: That's right. No one from your family, no children's
PB: No birth dates - that sort of thing. Even a
strong password is potentially vulnerable to a so-called brute force attack,
where someone is just, basically, plugged into your device or your system and
is letting a computer run all the permutations and combinations of
DW: Right. 2Factor authentication is still
optional in many places. I do not know any sites that are actually requiring
it that are typical consumer sites, but you will see it - you can turn it on
for Google and Facebook and things like that. You can get a list of people
who offer 2Factor authentication at twostepauth.org. That's T W O S T E P A U
T H.org, and that will give you a list of who has it and how they have
PB: Right. Just as an example, a lot
of things that lawyers and paralegals might use, like Evernote, LinkedIn,
Dropbox, Facebook, and things like that - they all have 2Factor
DW: So how do you get two step or
2Factor authentication on the web? It is actually not that tricky, but it
usually requires you to have a mobile phone. What happens is that you log in,
and the mobile phone will receive a text with the second piece of information
that you need to type in. Now, if you are a cheapskate like me, and I do not
have a really good cell phone plan or cell phone coverage - and sometimes you
just aren't in a place where you have that kind of coverage - you can have
that code generated for you by downloading an app when you're on the web and
then using it when you are offline. It will then generate the code that you
need so that you can plug that code in, regardless of whether you have cell
phone access, or in fact, your mobile phone with you.
PB: So if you lose your mobile phone you are not lost
You will still be able to get into all of your accounts by either getting on
the web or using one of these offline tools.
Right. Their free Google authenticator works on most platforms, but you can
find other ones. I think you use Authy, is it?
Authy, yes, and they are even available, as David says, across platforms. You
can use them (usually the same app) for Blackberry, Android and Apple. They
are quite versatile and very simple-to-use apps.
I think the use of these sorts of authentications is the next progression. We
obviously had passwords in order to protect our accounts, then we went to
strong passwords, which are now starting to be broken. I think the 2Factor
authentication is the next step: if you are putting client files in the Cloud
or emailing them, or storing them in your online email, having 2Factor
authentication is a sensible extra precaution that does not cost you anything
except a couple of extra minutes, maybe, as you authenticate in and out of
PB: And a number of these
authentications will default to a paper list of codes as well. I know Gmail
gives you that option - once you sign in to 2Factor authentication, it will
generate a list of ten codes that you can just fold and put in your wallet
and use them any time. If you do not have access to your app at the time, or
you do not have access to your phone at the time, you still have a paper
back-up list and can use each one of these ten codes once and be able to use
your 2Factor authentication.
DW: That's great because
it is just like the bank idea, then. You have this paper thing and the
password in your head, and you put them together to get access to your
Social login is the other part of how you can manage your accounts online.
2Factor authentication allows you to get in and out of your accounts, but
sometimes you may not want to create a user name and password for every
website you go to. In part, that just means more passwords for you to manage
and to be aware of, but also some of the sites you are using may not be as
rigorous at protecting your information - your user name and password - as you
would expect. One of the ways you can get around that is to use websites that
use the social log-in, often called OpenID, which is a version of the social
login. Instead of creating a user name and password there, you reuse a secure
and potentially, a two-step or 2Factor authentication service in order to
get access to multiple websites.
PB: OpenID has been
around a long time, and usually people just kind of ignore it when it pops up.
You will notice sometimes that if you are signing into a website, it will say
on the side, "Hey, do you want to sign in with your Google password or your
Yahoo! Password?" That is an example of OpenID.
It means that if you trust the person or the company that has that social
login or that OpenID to protect your user name and password, it makes it a
much easier process to then reuse it over multiple websites. Of course, if
you want to, when you grant access or sign in with that user name and password
typically it is logging that information in your original account. So say I
log in with my Google.com account into another website. When I go back to my
Google.com account it will show who I have authorized or who I have got a login
with, and I can terminate that access, or terminate that connection whenever
I want to.
PB: Right, and OpenID is an open
source-based software. Problems with that, or no?
Not really, so long as the provider who is providing the OpenID database is
someone you would trust. The fact that the software itself is open source is
not insecure, but if, I mean, I could open up Dave's Passwords N' Stuff and
run my own OpenID server. I do not know that I would feel comfortable as a
lawyer using someone who is so fly-by-night as David's Passwords N' Stuff. So
I think if you are going to use OpenID, either use a provider like Google or
someone large, or make sure you really understand who is behind the security
for that OpenID account.
PB: Right, because everyone
PB: I will say this: OpenID is huge. There are over
50,000 sites, apparently, that use OpenID. It is something you stumble across
every day and it is almost invisible to most people.
DW: Right. The social login, I think, has really changed
how people use multiple websites. I notice it really only when the social
login only asks for, say, Facebook, and I am not going to use my Facebook
account to log in there, so I really only notice it when my social login is
not part of the list.
PB: Right. So that is our look
at 2Factor ID authentication and OpenID. Thanks very much, David.
DW: Thanks, Phil.