How Two Factor Authentication should change in the future using mobile phone

This is my 50 cent suggestion of how two factor authentication should change in the future. With an increase in sites adopting them, you will end up having an average of more than 20 different two factor authentication codes in your mobile.

86/365+1 Cryptic

Two Factor Authentication codes via sms are just optional and purely dependent on your mobile network availability, i don’t prefer receiving sms codes for each of my sessions. The best so far is the Google Authenticator tool which is available in all cross platform mobile operating systems. So like an RSA key, the Authenticator tool can generate the codes offline and does not require data connection.

So what is going to happen in the future ?

I have 5 accounts linked with my Google Authenticator that includes my two google accounts, dreamhost, lastpass and dropbox. Evernote and Linkedin have introduced two factor authentication and they are going to be in queue for me.

There’s no doubt that i will end up having a minimum of 30 accounts very soon and the current Google Authenticator tool will let me scroll to search for my code out of this 30 accounts. By the time i locate the right account and enter the code, the time expires and code changes. So in terms of usability there is necessarily a change.

So here is my proposal (sorry if it sounds dumb)

Instead of entering the code manually for every account, each account added in Google Authenticator should have a unique callback url or Google should provide a push service which securely allows third party services to send request to our Google Authenticator client in our mobile.

Update: After having a discussion with my friend Srinivasan Annamalai, one of my Technology Evangelist, we concluded few things for better security and also in terms of usability, Google should provide a service to third party services which gives permission only to trigger an action to Generate Secure code associated with concerned account and pop up the same in user mobile screen (on-demand action).

So the next time you want to login using step two authentication, all you have to do is take your mobile, fire up the app and wait for a request made by your service provider to Google, the app will Generte code and pop it up. So you enter it. Thats it. Tada !

By this way you can manage N number of two factor accounts using a single authenticator application…

4 comments

  1. Shreyo

    your point seems legitimate but we often request google to store (trust) the computer we are on which is mostly our own pc or a lappy. and involving an app is like being into some sort of risk on security (for eg: some android apps were flooded with malware recently) which could end up in account hacking.

    • Sankaranand

      Basically the third party services can only access the Google Api service and they can make only one type of request (trigger) by sending your account username as argument and thats it no response, Google API Service will trigger the pop up account in google apps account. Regarding the malware, i don’t see any point as security issue because codes are generated on instance and the source code is encrypted. If this is a security issue, then almost any android app cannot exists because malware can takeaway all your information, call logs which is possible in affected mobile phones. Since it is a second factor authentication, you will still need your password to login. An infected mobile phone cannot get the data from google authentication app because it is encrypted and some parts are closed source. This wont be an issue with windows phone, ios and blackberry because they are all closed source and have a big restriction in connecting with other apps. This is also for android.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>