Iris Classon
Iris Classon - In Love with Code

Stupid Question 74: What is two-factor authentication?

[To celebrate my first year of programming I will ask a ‘stupid’ questions daily on my blog for a year, to make sure I learn at least 365 new things during my second year as a developer]


This came up as a dev asked on twitter why twitter doesn’t have a two-factor authentication. Since a Twitter account is used to login to quite a few apps it really should be more secure. ¨
The dev was not the only one curios about that, many joined the conversation, and I even found somebody who had asked this on Quora:
Twitter:Why doesn’t Twitter offer two-factor authentication?

But what is two-factor authentication anyway?

A two-factor authentication is a way to authenticate using two or more out of three authentication factors. The factors are considered to increase the likeliness that the user is indeed who he/she claims to be (proving identity). Using several versions of one factor is not considered true multifactor authentication (two-factor authentication). The three factors are:
A knowledge factor
– something the user knows
Examples: password, security questions, username/email address etc.
A possession factor

  • something the user has
    Examples: tokens (mini-device tokens), magnetic stripe cards, soft tokens (SSL certificate), mobile phone (sms, NFC, apps, signatures), smart cards
    An inherence factor
  • something the user is
    Examples: iris scan, fingerprint, voiceprint


    Leave a comment (via email)
    11/10/2012 9:11:25 AM
    I think the twitter tech architect who made this decision probably hedged the significance of a user profile's security with the ease of service access. If a token is erased from a mobile phone or desktop browser, the user is faced with the annoying user experience task of re-authentication. This may subconsciously deter the user from using the service in general overtime. 
    4/9/2013 11:05:10 AM
    Thank you for this.  I've been swamped last few weeks, have read this over and over, just haven't had time to look into it.  Thanks for bubbling the essence of this for us. 

Last modified on 2012-11-04