Two-Factor Authentication (2FA) might get a little easier

I wrote a few weeks ago about the fact that you should always turn on Two-Factor Authentication (2FA), which is good advice indeed.  I mostly talked about using an authentication app, but mentioned 2FA by SMS in the summary at the end.

2FA by SMS works in the same way really, in that after you’ve entered your username and password (things that you know) they will then send a One Time Password (OTP) – usually 6 numeric digits – via an SMS message.  You then have a short time period – usually around 5 minutes – to enter this code into the website, thus providing that you have access to the phone (something that you have).

Sidebar – I recently stopped using the Android Message for Web service because it was doubling the devices that someone could have (eg. if someone had my laptop, they could get past the 2FA, even if they didn’t have my phone).

This can be a touch fiddly, as you have to manually enter the number, although the Android messaging app has made it easy to copy out the number by detecting it and suggesting it as a quick action.

However, Apple have proposed a new standard format and both Google and Twilio have shown interest in adopting it as well.  The new standard would be a message like this…

123456 is your RikLewis authentication code. #123456

The first line of the message is human-readable, for you to check the authenticity manually, but the second line is designed to be read by your phone’s browser, so that it can input the code for you automatically, without you needing to do anything.  This will make using 2FA on your phone via SMS a much slicker process, as you won’t actually need to do anything other than wait.

If this sounds a little scary, I don’t think it should be.  My mobile banking app already does this, as long as I give it permission to read SMS messages, but they send and read the message, so they can determine their own format.  This proposed system would allow all browser vendors and two-factor authentication services to implement the same functionality, and have it work across the board.

Personally I think anything that reduces the friction of implementing 2FA, without reducing the security, can only be a good thing.