[SOUND] In this video we're going to discuss Two Factor Authentication. What it means for authentication security, and what it means for usability. So, just as some background, Two Factor Authentication which I'm going to abbreviate as TFA in the slides just for brevity. Basically means that you have a password combined with a one time unique code. So, while people can guess your password, they can't guess your password and this unique code. And those two things together are designed to make the system more secure. That unique code can be generated in a number of ways. Sometimes you have device specifically designed, to create that unique code and we'll take, we'll take a look at an example of one of those. That unique code may be emailed to you when you need it, it could be sent to you in a text message, or some places, like Google, actually have an app that's designed to generate that code for you if you want. Let's look at a couple examples of these Two Factor Authentication codes being generated. And we'll start with one generated by a device called an RSA SecurID key. This is an RSA SecurID USB key, you can see the little cap on the right hand side that covers up the USB. And in the middle is a digital screen that generates a unique ID, that's used in Two Factor Authentication. If you watch, you can see the number in the middle keeps changing, and on the left hand side of that digital display, is a set of bars that countdown the time that number is valid. What we're seeing here is this video sped up almost six times its normal speed, so the numbers actually stay visible for quite a while. With this key, I use it to log in to a consulting job I have, and I'll type in my user name, I'll type in my password, and then I will append the six digits for this RSA key, onto the end of my password generating a unique one time password. There is a unique identifier for my RSA SecurID key that we are looking at here that is linked with my account, and the numbers that are appearing on my key are linked to the ID of my key, which is linked to my account. So, someone else with a different securID key would have different numbers showing up. They couldn't just use the numbers on my key to log in to their account. So, there's a lot of security going on here. I have my unique username, it's connected to my unique RSA key. I have my password, and I have the temporary number that appear on my key only. I combine those together in order to get a unique password. The next example we'll look at comes from Google. They have Two Factor Authentication available for Gmail, and other applications. This video is actually taken from Google's description of how their Two Factor Authentication works, and you'll see how they can generate this unique code either through a text message, or through their app, and in addition we'll actually see how the Two Factor Authentication log in process works on Google, and in fact this is how it works on a bunch of different sites. >> After you sign in with your username and password, Google will ask you for a verification code. If you chose to receive a text or voice message when you set up two step verification, Google will then send it to you on your phone. If you're an Android, BlackBerry, or iPhone user, you can also choose to generate a code on your phone using the Google Authenticator app. Enter the code from your phone. If you trust this computer you can check this box and you won't be asked for another verification code for 30 days. >> So how does Two-Factor Authentication help security? Well it's definitely more secure because you have two things that a hacker needs to get into the system. Not just one, and it stops most hacking attacks because that unique code is constantly changing. So even if they were able to get a hold of it once, they can't get a hold of it multiple times. And if they want to get a hold of that they generally need to access a device that you have. Your RSA key, your email, or your smart phone. Users also perceive Two Factor Authentication as more secure. So they understand that there's a couple of extra steps that's making the system more secure if they use it. But how does it effect the usability, or the perceptions of usability? Research says that Two factor Authentication is actually much less usable than traditional password based or single factor authentication. It's definitely slower, measurements of speed show that it takes more time. User preference also indicates that it's less preferable and less usable in a number of ways. Users felt that it was less usable when they were asked, they thought it was less convenient than doing Single Factor Authentication, which makes sense, you have to have a device, or access to your email in order to log in with it, and they felt it was harder to use. So, overall users didn't really like the usability of Two Factor Authentication in research that studied it, it's slower, which is another measure of usability, so we get a big loss in the usability department when Two Factor Authentication is introduced. There's one simple conclusion from this, Two Factor Authentication is more secure but less usable. That doesn't mean that we need to take it out of systems. There are some systems that are very sensitive. They need the highest security possible, and that means including Two Factor Authentication. But the fact that it's less usable means that it shouldn't be relied on as a way of simply making systems more secure, because users don't like it, and that means that they're going to have trouble using it, and if given the option they're likely to turn it off
