2-Factor Security!

Two-Factor authentication. Do you use it? A lot of IT professionals don’t use either:

  1. A password manage, nor
  2. 2-factor authentication.

It’s surprising to me because 2-factor authentication is becoming more and more widely implemented for web services. Banks in the UK consistently use multi-factor authentication. Most consumers will have already experienced 2-factor (or multi-factor) authentication. Facebook, Google, LinkedIn, Twitter, all offer 2-factor processes.

Multi-factor authentication is just a fancy word for a login process that asks you for more than a password alone.

Something in your head, and something in your hand
Multi-factor merely means more than a password. Sources: http://tinyurl.com/zn5l3ej http://tinyurl.com/gphmv4k

It is widely recognised that a password is pretty weak . We all abuse passwords, and it is pretty easy to capture another person’s password. For years and years, security researchers have been trying to strengthen online verification processes. Multi-factor is something that has emerged as a practical measure to improve your online resiliency. Emphasis on the word **practical** .

Multi-factor (2-factor, 3-factor, 4-factor…n-factor) authentication provides you with an extra layer of protection on top of password protection that puts multiple layers of access control around your account.

For instance, with 2-factor access enabled on Twitter, when you sign in from a new-device, Twitter asks for:

  1. Your password, and
  2. The code (6 digits?) they text to your phone.

An attacker needs to have your password and your phone to get into your Twitter account. It isn’t impossible to get both, but as you add more layers (multi-factor == n-factor authentication), then it becomes progressively more difficult for you to loose control over your account.

The time investment to get set-up with usable 2-factor authentication isn’t much. Just poke around the Account or Security section of a website, and you’ll often find that you can enable 2-factor.

OK…so Donal, it seems like an O.K. idea, but I’m lazy…

Sure, me too.

Practical tips

  1. Strengthen your passwords by using a password manager. You want a manager that is available on all your devices. I recommend Lastpass.com.
  2. Focus on enabling 2-factor authentication on websites that are important. Social media platforms, email accounts, password managers. (Physical devices, like your laptop, can also have more than a password.)
  3.  Use Authy. This little device can store all those separate 2-factor tokens into one place. It’s like a password manager, except it is for 2-factor authentication.
authy.com logo


Give me a little more…

Infographic on the four common types of authentication. Something you have, something you know, and biometrics

The weird world of computers and law

Surely computer programming and law are totally different, right?

I studied Law for undergraduate, but I learned to program and I recently perked onto the growing field of legal informatics. A lot of people think it is strange that I studied both Law and Computers. But, it is a growing area of interest, and it is has been for a long time. At least for 300 years or more, according to Stephen Wolfram. And, as far as I can tell, Law and Programming are very similar. They both use a system of logical rules to define a problem space. But whilst computer programs are normally written to produce very exact answers, legal problems often do not yet have a certain answer.

Is it coming?
The end of lawyers?

Describe the legal informatics paradox

Shortly put, legal informatics combines computer science and legal theory. It has been around for a long time. And there is a trend, though I don’t know how popular, to call Law ‘legal science’. But, legal systems are very different from scientific systems. Legal thought and scientific thought are quite separate. If you go to Law School, and you’d learn about qualitative principles like ‘justice’ or ‘fairness’ or ‘certainty’ that animate the Law (if you are lucky). Lawyers tend to use these hard-to-define, abstract concepts, to build their argument, and then they try to prove a series of value judgments about when one principle, such as fairness, might be sacrificed for another principle, such as certainty.

If you know how computer programs work, then there isn’t a clear way they can apply to problems within the legal domain. Computers are really good at things like counting, 1+2=3. These problems are so certain to define and easy to represent in a mechanical sense. Which we can then solve with an algorithm.  Most computer languages would be totally useless for dealing with legal problems. 

Really quick example of how all legal thought operates

Just a quick, stupid and inaccurate example to make my meaning clearer. If you are a local council (LC) and you buy thousands of faulty wheelie bins from Useless Bin Maker Ltd (UBM), and the manufacturing error only emerges eight years later, the Law provides for a general rule requiring the Council to seek damages within 6 years of the date the bins were delivered. It would benefit the LC if there was no limitation period at all. (Their lawyer might argue this is ‘fairer’.) But, this would disadvantage UBM. (Their lawyer might argue this promotes ‘certainty’.) As it stands, because this is a latent defective, LC can make a claim within 3 years of discovering the manufacturing fault, up to a maximum of 15 years thanks to the Latent Damage Act 1986 that modifies the standard position under the Limitation Act 1980. Here is a more detailed article explaining the limitation rules for contracts in England.

Legal thought is all about modifying and augmenting the rules of the system in response to new facts that call for a slightly different compromise between the motivating principles. It is a ‘normative’ exercise. Normative, according to Wikipedia, means “relating to an ideal standard or model, or being based on the normal or correct way of doing something“.

Future posts

In some future posts, I’ll begin to talk about how people are trying to solve this legal informatics paradox, as Computer Scientists and programmers try to marry Law and Computation.