CalebAlbers
commented
8 years ago Authenticating twice does not always mean two-factor authentication. Normally, 2FA refers to utilizing two of the following items:
- Something you know
- Something you have
- Something you are
Unless you are authenticating with different types of factors, you aren't going to meet the definition of 2FA and won't be able to meet some compliance standards (PCI is one on the top of my head).
I might be misunderstanding, however. You are referring to logging in with a password twice, correct? There are some really cool authentication methods that involve something you know and are, for example, that might be a reasonable alternative to a token. For example, there have been studies that tracked the way that people type in their password or draw a pre-determined picture (something you know) and can analyze the speed, spacing, and pressure differences in how you type or draw to create a baseline profile for you (something you are). I actually have quite a lot of info (including papers, studies, and concepts) on stuff like that that I should post as a different suggestion.
Problem
2FA: Cool, right?? For sure. It can be hard, tho. Don't have your phone on you at the moment... You switch phones... What other 2FAs could be more practical?
Proposal
Would this be 2FA? Instead of verification of a number via some app on your phone, can you just log into two OAuths? I want to login to keystone-it.com and I want to protect my account. keystone-it.com rightly doesn't want to be responsible for your precious password and so only offers Oauth. If someone steals your Google password, they can get into your keystone-it.com account. What if keystone-it.com required multiple Oauths: Google, Facebook, and Twitter??
Now, this doesn't do any good in the situation of a stolen device, but aside from that, is it a reasonable alternative to 2FA tokens?
If it is reasonable, is there are practical application for it? Will people say why bother if we still need 2FA tokens for the stolen device situation?