Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

1Password's update highlights the difference between two-step and two-factor verification

Glenn Fleishman | Jan. 30, 2015
An update to 1Password brings time-based one-time passwords (TOTP for short) to its iOS app. A one-time password is typically used as a second element in two-factor authentication (2FA), a subject I've written about many times in this column. But, as noted in a sensible and honest post by AgileBits, 1Password's developer, a second factor isn't always a second factor.

An update to 1Password brings time-based one-time passwords (TOTP for short) to its iOS app. A one-time password is typically used as a second element in two-factor authentication (2FA), a subject I've written about many times in this column. But, as noted in a sensible and honest post by AgileBits, 1Password's developer, a second factor isn't always a second factor.

A TOTP requires a seed code that, when transformed through an algorithm that includes the precise current time, produces a number that's converted into a short code, typically six digits long. In order to use a TOTP at a site that offers it, you walk through its enrollment process, which involves scanning a two-dimensional QR Code and generating one-time backup or recovery keys. The QR Code graphically represents the seed that both you and the site retain. (Some sites offer the seed as a code you can tap in as well.)

Google was the first mainstream site to add TOTP via an app, and still offers it today. When you log in from a new computer or browser, or in other circumstances Google's security algorithms require, you're prompted to enter this factor. Via Google Authenticator, an ecosystem of apps and synchronization like Authy, or this new option in 1Password, you pull up the current time-bound sequence of numbers and enter them. The site validates that the number you entered matches its derivation, and grants you access.

TOTP predates Google's usage, of course, and was typically previously found largely in security cards and dongles used by corporations and financial sites. I have a keychain-style doohickey from PayPal and one from E*Trade that carry out the same function, but they're dedicated bits of plastic and silicon with a tiny LCD screen and contain their seeds locked in hardware. I have to have them physically in my possession to validate a login.

[Figures: Adding a TOTP in 1Password 5.2 for iOS. 1 Edit Gmail entry.PNG: Edit an existing entry (or create a new one). 2 Scan or enter seed code.PNG: Scan the seed by tapping the QR Code icon, or enter the text version. 3 Entry shows link.PNG: The Secret field will show a link or the text seed. 4 Code generation in practice.PNG: After tapping Done to finishing editing, whenever you view the password entry, the current TOTP will be shown, including the remaining time that it's valid. ]

Not every step is a factor

Now the rubric with multi-factor authentication is that factors may be "something you know," "something you have," and "something you are," which corresponds respectively and typically to a password, a physical device receiving or generating something, and biometrics (like fingerprints and retina scans). Any multifactor system picks at least two of these, and sometimes all three.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.