Why two-step verification will never work
My wife went to a lecture last week on internet security and the expert who spoke suggested everyone turn on two-step verification, also known as two-factor authentication. It's a great idea in theory, but a terrible idea in practice.
On one hand, this is a great way to get your employees another level of security without a lot of heavy lifting on your part. The problem is that it's such a pain to implement that even a savvy user like myself ran into big problems.
The way two-step verification works is you enter your regular password, then the service sends a text to your mobile phone with a code. You enter the second code and you're in.
I tested the process on three services: Google, Twitter, and LinkedIn. All three worked just fine on my computer. But when I tried to access the services on my phone, that's where I ran into varying degrees of difficulty, all of which made me turn off the two-step verification immediately.
Unlike the other two services, which I could live without, Google services include Gmail and Google Drive, both of which are integral to my work. That's why Google gives me a bunch of temporary codes I could use in a pinch when I didn't have a signal to get a text. Google suggests keeping that paper in your wallet. I suppose it's unlikely that you would have your wallet and phone stolen, but a piece of paper strikes me as a weak link.
But it was still something I could live with in the name of an extra layer of security. I turned it on, tested it on my MacBook Pro, received my code, and it worked fine.
Then I picked up my iPhone and the trouble started.
I opened Gmail and was told my password was no longer valid. I entered it again, expecting Google would prompt me for a verification code, but it didn't. It verified my password, and when I opened Gmail again, same thing happened. I went searching online and found out there are some applications that don't support two-step verification on certain devices, including the iPhone.
I imagined a less persistent employee suddenly realizing that they couldn't get their mail on their phone. Your help desk would probably be blowing up right about now. But I was determined, so I pursued it further.
I found out it required a special password. The Google Help page assured me this was easy and not to worry. I generated the special password, which was quite lengthy and complex. It told me I only needed to enter it once, but it was at this point I started thinking twice. It wasn't clear if that one-time password meant I couldn't get at Gmail on my iPhone again without generating another one, and entering the password would be a pain anyway.
That was my stop sign. I bailed right there and turned off two-step verification, but I figured I would test it in a couple of other services to see if they implemented it better.
You could probably live without Twitter and your business wouldn't come to a screeching halt, but given Twitter that has been hacked in the past, it's not a terrible idea to turn on two-step verification. At least in theory.
Twitter starts by making you turn on mobile phone support to access the two-step verification options, which seems harmless until you realize you're actually signing up to have Twitter notifications pushed to your phone. Picture every tweet resulting in a buzz on your phone. Um, no thanks. It's hard to turn off, too, once you turn it on. I worked around the issue by selecting the sleep option and choosing from midnight to midnight as the time frame.
Once I turned two-step verification on, as with Google, it worked fine when I tried it with my home PC, but when I went to the phone, same story. It wouldn't provide me with a code and I turned it off.
LinkedIn was actually the closest to working the way I would have hoped. I signed up, tested it on my computer, and it worked as with the others. I opened the LinkedIn app on my phone and it signed me out and prompted me to sign in again, which I did (after retrieving my password because I had forgotten it). Then just as you would expect it gave me a message that I needed a code, click OK to continue. Yes, looking promising. It texted me the code immediately and gave me instructions to add it to the end of my password.
I placed my cursor at the end, excited that it was finally working...but then it didn't. Instead of letting me add the additional information, it replaced my password with the code, which didn't work. I tried it a couple of times with the same result and I shut it off.
How about putting the user first?
This week, a National Transportation Safety Board judge dismissed a $10,000 fine that the U.S. Federal Aviation Administration had lodged against a photographer who had used a drone to take aerial photos for the University of Virginia. The judge found that the FAA hadn't actually issued any enforceable rules regarding the use of commercial drones.
If you've got a Windows XP machine -- either at home or in the office -- consider yourself lucky. In the past, you'd upgrade to a more recent Windows operating system without a thought. Today, you have many options.
It's designed for the 3.5 billion people who have feature phones today. It solves technical problems Google is not interested in and is a better fit for the pre-paid phones popular in developing countries. The only trick is getting developers on board.
The cloud has overcome a lot of its technical challenges, especially when it comes to security. But the biggest problems in cloud computing now are cultural.