March 3, 2017

Authentication confusion, and the need for open standards

I'm a proponent of multi-factor authentication for increased security when logging in to websites and other services. In my use-cases this typically involves the use of a hardware token which generates a one-time code, or an app on my phone that displays codes. Examples of the hardware approach are my bank's card-reader device, PayPal's Security Key, and the RSA token commonly used to log in to corporate VPNs. On the software side there's the Verisign VIP Access app and the Google Authenticator app which I use in the 2-step verification process for my Google Apps account.

This has led me to occasionally experience what I call "authentication confusion" where I try to use the wrong device; for example this morning I found myself trying to use my PayPal token to try to log in to a VPN where I should have been using the RSA token. Perhaps this was just a symptom of a lack of caffeine first thing in the morning, but it does highlight the problem of proliferation of proprietary devices.

That's why I was glad to read that Amazon Web Services now support the OATH TOTP (Time-based One Time Password) protocol for logging in to their administration console (previously this used a proprietary hardware token, which is still supported). The nice thing about this is that it's an open standard, and is such is supported by several applications, including Google Authenticator - which I already have.

Support for open standards like this is a great way to encourage the adoption of multi-factor authentication - increased security with minimal decrease in convenience.

Topics: Bioinformatics