New America
In Depth

Getting Internet Companies To Do The Right Thing

Case Study #2: Offering Two-Factor Authentication

Photo: Shutterstock

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is a method of authentication for online services that goes beyond the traditional username and password. It works by requiring a user to prove that they are who they say they are in two ways: with something they have and something they know.

When two-factor authentication is enabled, the user is asked to provide a combination of (usually two) authenticators, one that falls into each category above. Something that the user knows, such as passwords, and something the user has, such as possession of a separate authenticating device—usually a short code provided by a mobile phone—or a biometric identifier like a fingerprint or retina scan. Unless the user has both the account password and the device generating or receiving the random code, they will not be able to establish their identity and access the account. Neither will a hacker who has only been able to obtain the user’s password, whether through a phishing attack or otherwise.


The Emergence and Adoption of 2FA

Though there have been several predecessors to the modern day two-factor authentication system, the 2FA that we would recognize today was first made commercially available by the RSA company as a key fob in 1986. The fob had a small LCD screen that displayed a short numerical code which users appended to their passwords. For over 20 years, many large enterprises and governments made use of this type of extra protection for their internal systems. However, it would not become a common feature on the internet until this decade, after the number of people using account-based services—and the number of those accounts being hacked—hit critical mass.

In January 2010, Google announced that the Chinese government had been targeting Google (and, it would turn out, around 20 other U.S. companies) with a long-term attack aimed at gaining access to the email accounts of human rights activists working in China and around the world. The attacks led to a number of changes at Google, both in terms of security infrastructure and policy. As a result, Google decided to shut down operations in China. Later that year, Google introduced their two-factor authentication system. Initially only for business accounts, it was rolled out to all Google users in early 2011. For the first time, 2FA was available to the general public for an average user account. In the years since, other major companies such as Microsoft, Twitter, Apple, and Amazon have begun to offer 2FA options across a multitude of online platforms (only a subset of which are represented in this timeline). Competition on security features, high-profile breaches, and the every-day occurrence of account hijackings have led to an environment that demands better authentication. However, many consumers are still not availing themselves of these options, as demonstrated by a continued flood of well-publicized email account breaches, because by their nature they are less convenient and more complex than a simple password. Consequently, companies are investigating other authentication methods that might be both convenient and secure enough to replace today’s options.

Key Factors Spurring Adoption of 2FA

The first offering of 2FA by a major online service—just like the first deployment of HTTPS encryption by default—was as part of Google’s response to China’s attacks on the Gmail accounts of human rights advocates, which were revealed in January 2010. That September, Google released the first version of its two factor authentication application, called Google Authenticator, and in February 2011 it began offering optional two-factor authentication to all of its account holders. Supported by the Internet Engineering Task Force’s publication of a standard method for offering 2FA, other providers began to follow suit, including Yahoo in December 2011.

After the crisis of the Chinese hacks got the ball rolling, a continued string of high-profile hacking incidents—such as the hacking of Matt Honan that was featured on the cover of Wired, or the scandalous hacking of celebrity iCloud accounts—continued to highlight the need for stronger authentication offerings, a need that the Federal Trade Commission went out of its way to highlight in a number of key enforcement actions and public statements. Apple quickly responded to the iCloud leaks with a new 2FA offering, and after a string of hacks targeting DropBox, Slack, and Twitter accounts, those companies enabled two-factor authentication for their users as well. As with HTTPS, this accelerating trend of adoption was hastened by consistent campaigning from privacy advocates and security experts from organizations like the Electronic Frontier Foundation and the ACLU, as well as from the Executive Branch via the “Lock Down Your Login” initiative from the White House and the National Cybersecurity Alliance.


Looking Toward the Future of Two-Factor Authentication

With companies seeking even more secure and easier to use authentication mechanisms, the Universal Second Factor standard was developed in 2014 and has seen slow but steady growth in availability and use. Meanwhile, the accelerating rash of high-profile email hacks—most recently, hacks targeting the Democratic National Committee, former Secretary of State Colin Powell, and Hillary Clinton campaign chairman John Podesta—continues to highlight both how important 2FA is, and how many internet users—even those who ought to know that they are targets of state-sponsored hacking—are still failing to use it. As companies look to the future, they are beginning to experiment with other types of multiple-factor authentication that are both more secure and more easy to use, including the use of biometrics like fingerprints, facial or speech recognition, and more. As authentication methods become more sophisticated, we may quickly be moving toward a post-password future.


Two-Factor Authentication

Prev. Section
Case Study #1: Using Transit Encryption by Default
In Depth

Getting Internet Companies To Do The Right Thing

About this Project

Each case study is in the form of a graphical timeline that maps key developments over the years that either reflected or helped spur the growing adoption of each practice, accompanied by a prefatory narrative to introduce some basic information about the practice and the key factors that influenced its implementation over time.

Authors

Kevin Bankston was the director of New America’s Open Technology Institute, where he worked in the public interest to ensure that all communities have equitable access to an internet that is both open and secure. He previously served as OTI's policy director.

Ross Schulman was a senior counsel and senior policy technologist at New America’s Open Technology Institute.

Liz Woolery was a senior policy analyst in New America's Open Technology Institute. Her work focused on the intersection of digital free expression, privacy, and transparency.

Project Outline:

Dataset:

* If using Safari or Internet Explorer, right-click download link and select "Download Linked File"