How Two Factor Authentication should change in the future using mobile phone
This is my 50 cent suggestion of how two factor authentication should change in the future. With an increase in sites adopting them, you will end up having an average of more than 20 different two factor authentication codes in your mobile.
Two Factor Authentication codes via sms are just optional and purely dependent on your mobile network availability, i don’t prefer receiving sms codes for each of my sessions. The best so far is the Google Authenticator tool which is available in all cross platform mobile operating systems. So like an RSA key, the Authenticator tool can generate the codes offline and does not require data connection.
So what is going to happen in the future ?
I have 5 accounts linked with my Google Authenticator that includes my two google accounts, dreamhost, lastpass and dropbox. Evernote and Linkedin have introduced two factor authentication and they are going to be in queue for me.
There’s no doubt that i will end up having a minimum of 30 accounts very soon and the current Google Authenticator tool will let me scroll to search for my code out of this 30 accounts. By the time i locate the right account and enter the code, the time expires and code changes. So in terms of usability there is necessarily a change.
So here is my proposal (sorry if it sounds dumb)
Instead of entering the code manually for every account, each account added in Google Authenticator should have a unique callback url or Google should provide a push service which securely allows third party services to send request to our Google Authenticator client in our mobile.
Update: After having a discussion with my friend Srinivasan Annamalai, one of my Technology Evangelist, we concluded few things for better security and also in terms of usability, Google should provide a service to third party services which gives permission only to trigger an action to Generate Secure code associated with concerned account and pop up the same in user mobile screen (on-demand action).
So the next time you want to login using step two authentication, all you have to do is take your mobile, fire up the app and wait for a request made by your service provider to Google, the app will Generte code and pop it up. So you enter it. Thats it. Tada !
By this way you can manage N number of two factor accounts using a single authenticator application…