Two-factor Authentication

written by amcvega on October 29th, 2007 @ 05:55 PM

Website authentication is usually done with using the username-password model: The user has a unique username and a password to prove that he owns that username. The programmer and the system administrator can put in all the encryption and security updates they can but if a hacker somehow manages to access a username and password (e.g. admin / password) then all the other measures become useless.

Enter multifactor-authentication. One-factor authentication is something you know – your username and password. The second factor is usually something you have – some form of key. On the web, it is not so easy to implement two-factor authentication. Usually, what passes for two-factor authentication doesn’t quite cut it.

There is an interesting idea out there though that aims to solve this called BeamAuth The idea is simpe – use bookmarks as a key. Using a little javascript, a bookmark, and the little-known fragment identifier, Ben Adida has developed a system that allows the user to securely send an encrypted key along with the login information. Seamless two-factor authentication!

BeamAuth is a new idea and I haven’t heard of any sites that use it yet. Unfortunately the demo app doesn’t work right now so I haven’t really seen it in action. However, the idea is simple and it looks easy enough to implement. I haven’t seen any holes in the idea yet maybe Bruce Schneier or Steve Gibson would know better but I don’t think they’ve heard of the idea yet. I might try it out myself soon and see if it’s as effective as it seems.

Post a comment