Tumblr has today announced a new feature, which I would urge all users to consider enabling.
You know how you need two keys to launch a nuclear missile? Two-factor authentication works like that. One key is your password, the other key is your cellular phone, and you need both to access your Tumblr Dashboard.
If you enable the feature, then you’ll not only need your username and password to log into Tumblr. You’ll also need a one-time authentication code that will be accessible via your mobile phone. In short, the bad guys won’t just need your username and password, they’ll also need that code (or physical access to your phone).
In a world where it’s not at all unusual for users to be careless with their password security, two-factor authentication (often shortened to “2FA”) makes a lot of sense.
Of course, 2FA doesn’t mean you should be any more diligent about checking you’re not entering your password on a phishing site, or ensuring that you are using different passwords for different accounts, but it is an additional level of protection which makes life much harder for criminals trying to gain access to your account.
It’s good to see Tumblr introducing this feature. Let’s hope that more and more sites adopt similar security in future.
I can see two issues with this 2fa solution already. One is that it's an in-band solution, which is vulnerable to man in the middle attacks. Anytime you have to type any extra code back into the browser you are using it is in-band. The only way around MITM is an out of band solution that pushes the extra step to an outside device like your phone. The second problem with this solution is the usability. This sounds just like Google Authenticator and many people, including myself, state that they turn it off because it's annoying to use. Tumblr should adopt a different version of 2fa in order for it to be successful to its users. I found an awesome 2fa solution through my LastPass account called Toopher. It's the only 2fa solution I have found that seems to do it right. Toopher has an automation feature that uses the location awareness of your smartphone to authenticate, which allows the user process to be uninterrupted. I wish that Tumblr would have enabled Toopher with their site instead of trying to build up yet another annoying 2fa solution.
From what I can see it could be argued that it is out of band. The UNP is entered via the browser, the OTP is delivered via the mobile network. However like a lot of these 2fa solutions the weakness comes in the fact that you are just returning something that has been sent to you as an SMS or Tweet. If you have key logged or social engineered the UNP you just need access to the person's mobile phone, which is relatively easy in an office environment. The only solution that makes the user do something else is Swivel's PINsafe which makes you extract the OTP from the code that is sent using a fixed PIN. It takes a couple of seconds and means that even if the hacker has the UNP and the phone it is no use to them. It is also immune to MITM since the OTP changes every time. BTW: 2fa using a mobile phone has been around for over 10 years so nothing new here