You’ve probably seen http://twofactorauth.org:
This site totally misses the point. I think Walmart should be congratulated for not rolling out 2FA. A tightly bundled solution that just solves two factor authentication for their website (which I almost never visit) or in their stores (which I am almost never in), is fantastic. Nice work Walmart!!!
The list I’d like to see is which websites enable me to specify where I want to be authenticated, and hopefully with what mechanism. I can choose a domain for my website and email. Why shouldn’t I be allowed to choose how and where I authenticate?
For many people this domain would be Google.com or Facebook.com. We already have social creds, so in many cases these are a good choice. In other cases, I might want to use my work email to identify my home domain. For example, if I am using a SaaS business application, my work might even be paying for it, so it makes sense that they’d want to control access.
The problem is that in the past, it wasn’t clear what standard websites should adopt to enable distributed authentication. Finally, the answer is clear: OpenID Connect. This standard has the backing of Microsoft, Google, enterprise security vendors, and already has tons of open source implementations and libraries like the OX OpenID Connect Provider.
If the authors of http://twofactorauth.org had actually done their research, they would have discovered that the main reason websites don’t use two-factor is deployment issues. A large enterprise like Walmart needs to identify people who are acting as its employees, customers, and partners. The IT infrastructure is comprised of numerous web services, both internal and third party. Tightly bundling one type of authentication to one application does not really address the security concern.
Ironically, increasing security is an inconvenience to the customer. The best usability is not authenticating me at all. We should congratulate the websites who use authentication intelligently to mitigate the risk of network security. We should not be congratulating knee-jerk adoption of technology that doesn’t enhance usability or security for their site, or for the Internet in general.
Subscribe to Get News and Product Updates
our RSS Feed