Why Passwords Aren't Enough
We need better security for our online accounts. Could Gmail lead the way?
Nearly two years ago, I wrote about an easy way to create invincible passwords for your most-sensitive online accounts. The short version: Come up with a memorable phrase, then turn it into a password by using the first letter of each word. Thus, I'm 44 and I still love Justin Bieber becomes I44aIslJB—a password that's hard to guess but easy for a Bieber obsessive to remember. Slate has re-published my article several times, because seemingly every few months there's an incident that serves as a good reminder for people to create new passwords. Last year, for example, Gawker's database was hacked, spreading thousands of commenters' passwords all over the Internet. And just in the last few weeks, two huge dating sites—eHarmony and Plenty of Fish—were compromised, and passwords found in those databases are now being offered for sale in online black markets.
This sort of thing is going to keep happening over and over again. There will always be sites that don't protect users' credentials as well as they could, and when one of these sites gets hacked, you'll have to change your password everywhere. Sure, there are ways to reduce these risks: You shouldn't use the same password for different sites—that way if a hacker gets the keys to Gawker, he won't be able to get into your bank, too. One way to keep track of many different strong passwords is to use a password helper like 1Password, a program that creates and remembers bulletproof passwords for every site you visit.
Still, these measures don't address the fundamental flaw in the way we use passwords on the Web today. A password is the only thing separating your e-mail, banking information, and social networks from a bad guy. It takes only one database hack or phishing attack for a thief to get your password, and from there, he could wreak all kinds of havoc. That shouldn't be. As we store more of our personal information online, we're asking passwords to shoulder an ever-larger burden. That's too much for the humble password to do.
We need something else—some other bit of information that a thief would need to get inside your account. This second form of security wouldn't be something that you memorize. Instead, it would be something you keep in your possession—your fingerprint or retina scan, a key fob, or a little widget inside your phone. When you wanted to access your account, you'd present this item in addition to your username and password. And if your password got stolen, the thief still wouldn't be able to get into your account.
Security experts call this "two-factor authentication," because it requires two different kinds of information—something you know as well as something you possess. Two-factor authentication isn't new. Many corporations and the government require it. Often, the system involves little radio cards or other electronic doohickeys that you connect to your computer when logging in. But because these systems are expensive and require a fair bit of work for the IT department—someone's got to keep track of all those key fobs—two-factor authentication has never been available for consumer sites like Web e-mail or bank accounts.
But that might be changing. Last week, Google launched two-factor authentication for Google Accounts—the credentials you use to log in to all Google services, including Gmail. I've been using the system since then, and I think it's a good step toward a future in which we move beyond passwords to protect our most intimate secrets. Google's system is optional; you can set it up on your Google Account page. After you opt in, you'll log in to Gmail with a username and password, as usual. Then, you'll see another screen asking you for a six-digit "verification code." This code is the second factor to get into your account. It's generated by the Google Authenticator app that you download on your Android phone, iPhone, or BlackBerry. (If you don't have one of those phones, you can get verification codes through text messaging on a standard mobile phone.) The app generates a new verification code every 30 seconds. This means that you need to have your phone with you and powered on when you log in to your e-mail. On the plus side, though, if someone steals just one of these factors—just your phone or just your password—he can't log in.
Google's system is far from perfect. For one thing, it's a bit of a hassle to set it up on third-party systems that use your Google account. If you sync Gmail with Outlook or your iPhone, for instance, you'll need to enter a new, computer-generated password into each of those devices to keep them connected to your account. (You only have to do this once, but it's still frustrating if you've got many different devices that connect to your Google account.) There's also the worry of losing your phone. When you set up the two-step system, Google asks you to enter a backup phone number, and it also gives you a set of backup verification codes, which you're supposed to keep in a safe place (away from your phone). According to a Google spokesman, when you lose your primary phone, Google will send a new verification code (either via text message or an automated voicemail) to your backup phone. If you don't have access to either your primary or backup phone, you can use one of the backup codes you kept in a safe place. But what if you lose your phone while traveling in Europe, and both your backup phone and your backup codes are back home? *
For most people, the biggest problem here is that two-factor authentication simply requires one step too many. Typing in a verification code when you log in to your account isn't difficult—it takes 10 seconds, at most. There is also an option to have Google ask for the verification once every 30 days for a specific machine; this means that when someone steals your password, it will only work for a limited time on that machine before it's rendered unusable, which is better than nothing. [Update, Feb. 18: The previous sentence has been updated to reflect that the 30-day verification option applies to a specific machine. If you want to log in from a different computer during those 30 days, you still need to use a verification code.] Still, as I reported in my first piece on passwords, most people use the same password for all the sites they visit, and they never change their passwords. I'm betting that those people aren't going to be excited about an extra security step. Indeed, the people most likely to take advantage of two-step verification are those who already think about password security—in other words, people who are likely to need it the least.
That's why I'm hoping that Google, Apple, Facebook, Twitter, and the world's major banks work together to create an advanced two-step security system that's also drop-dead easy to use. Instead of a verification code, my ideal system would use either a credit card or biometric information, like your fingerprint. To log in to your bank on your home computer, then, you'd type in your username and password, and then you'd place your finger on your phone's screen. The phone would authenticate you and send a wireless verification signal to your computer, and you'd get into your account. Alternatively, you could slide your credit card through your phone's card reader—or simply wave your credit card so that it can be recognized by the "near-field communication" chip in your phone.
Are these things too far out? Nope. Electronic fingerprint readers are cheap these days, and they would be easy for phone makers to deploy (the new Motorola Atrix smartphone includes a fingerprint reader); they could also use the phone's camera to identify your eyeball or your face, or perhaps the microphone to identify your voice. There are already third-party credit card readers for the iPhone, and there are persistent rumors that Apple plans to build near-field communication into the iPhone in order to let you pay for stuff with your phone. (Google's Nexus S already has an NFC chip.)
The limitations on the widespread use of two-factor authentication, then, aren't technical. They're social and commercial; many people are going to kick and scream if they're forced to do something extra to get into their accounts, and companies will need to work together to create a standard system that can be deployed across a wide range of services. But I suspect that we'll overcome these challenges, and that two-step verification will eventually become the norm. Every day, we get fresh evidence that passwords aren't enough to protect us from the bad guys online. It's time we stopped pretending they were.
Correction, Feb. 19, 2011: This piece originally misstated the procedure for accessing Gmail with two-factor authentication if you lose your cell phone. Along with giving you a set of backup codes, Google also asks you to set up a backup phone number for emergencies. (Return to the corrected sentence.)
Become a fan of Slate and Farhad Manjoo on Facebook. Follow us on Twitter.
Farhad Manjoo is Slate's technology columnist and the author of True Enough: Learning To Live in a Post-Fact Society. You can email him at email@example.com and follow him on Twitter.