Gluu Blog

Follow us:
Back to Blog

2FA for every site on the Internet?

Mike S. April 8, 2014

You’ve probably seen http://twofactorauth.org:
twofactorauth_org_screenshot

This site totally misses the point. I think Walmart should be congratulated for not rolling out 2FA. A tightly bundled solution that just solves two factor authentication for their website (which I almost never visit) or in their stores (which I am almost never in), is fantastic. Nice work Walmart!!!

The list I’d like to see is which websites enable me to specify where I want to be authenticated, and hopefully with what mechanism. I can choose a domain for my website and email. Why shouldn’t I be allowed to choose how and where I authenticate?

For many people this domain would be Google.com or Facebook.com. We already have social creds, so in many cases these are a good choice. In other cases, I might want to use my work email to identify my home domain. For example, if I am using a SaaS business application, my work might even be paying for it, so it makes sense that they’d want to control access.

The problem is that in the past, it wasn’t clear what standard websites should adopt to enable distributed authentication. Finally, the answer is clear: OpenID Connect. This standard has the backing of Microsoft, Google, enterprise security vendors, and already has tons of open source implementations and libraries like the OX OpenID Connect Provider.

If the authors of http://twofactorauth.org had actually done their research, they would have discovered that the main reason websites don’t use two-factor is deployment issues. A large enterprise like Walmart needs to identify people who are acting as its employees, customers, and partners. The IT infrastructure is comprised of numerous web services, both internal and third party. Tightly bundling one type of authentication to one application does not really address the security concern.

Ironically, increasing security is an inconvenience to the customer. The best usability is not authenticating me at all. We should congratulate the websites who use authentication intelligently to mitigate the risk of network security. We should not be congratulating knee-jerk adoption of technology that doesn’t enhance usability or security for their site, or for the Internet in general.

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.