Two Factor Authentication a Pain
Dear Ms. Smartphone: I took your class and try to be mindful about using my phone, so I often choose to work on my laptop computer. And I try to keep it secure. The problem is that many of the web sites I go to on my laptop require two-factor authentication and it’s a pain. So, I need my phone nearby in order to get this login code. Seems like I am back to keeping my phone right by my side and don’t have deep work time away from it. Pete, San Rafael
Dear Pete: Yes! Both security and mindfulness need to work side by side when we use technology. Sometimes they gently compete with each other. It’s particularly hard to avoid that with two-factor authentication (2FA). Secure organizations used to give their employees and interns fobs that contained an unique signature. Others required those annoying ‘captchas.’ Now that smartphones are ubiquitous the six digit authentication code seems here to stay, at least for a while. Two factor authenticiation is a pain, but a necessary one.
The external fob and its alternative, sending you an authentication code, describe two of the four ways that a web site can vet you. The first is to require something you know (your login name and password) and second, something you have (the fob or an one-time number code). Other ways to authenticate you are with biometrics (e.g., an iris scan, a fingerprint) or by exact location (through GPS). Things may change in a few years, but for now most banks and secure sites rely today on the 2FA code.
7 Plus or Minus 2!
Perhaps you occasionally receive five digit codes, and occasionally a seven digit one. Never longer. There is a science behind this. Before the computer age in 1956, a psychologist called George Miller wrote a seminal paper called “ The Magic Number of Seven Plus or Minus Two.” Through extensive testing he discovered that humans could facilely remember just 5 to 9 numbers at a time. His discovery focused on two conditions: how the brain responds to multiple stimuli at the same time, and on the capacity of working memory. In the same paper Miller writes about overcoming bottlenecks by chunking data. Seven, plus or minus two, is the magic number.
Here’s a ‘Smartphone’ aside: It’s a nice coincidence that Bell telephone numbers in the nineteen fifties were just seven digits long. People didn’t need to add the three digit area code to their local calls. For long distance calls they looked up the area code. Perhaps that explains why we can’t remember our own phone number, or anyone elses today! Adding the three digit area code (7+3) stresses our working memory!
In the future, the authentication code you receive on your phone will probably be replaced by more modern tech, for example, biometrics that recognize your speech patterns, or say the way you text and use the keyboard. I have always been intrigued by whether the bad guys in movies who want to get access to a sizeable bank account or a golden safe deposit box just need to possess the good guy’s phone to gain entry. Again- this is Hollywood- they kidnap the wealthy victim, cut off the index finger, possess the phone, and gain the authentication codes to swipe into the financial system. While there is mention of a fairly wicked plot in 2017 in which a German company, Telefonica, was spoofed you will be glad to know that finger cutting is a dead-end (literally). The finger must show a pulse and other activity to pass through the biometric measures.
For the time being, there is not a clear way to get around two-factor authentication, unless you “trust” the site, as you mentioned. That could open up other vulnerabilities. So, if you are doing deep work and trying to concentrate, perhaps rearrange your work time so that you request these two factor authentications at a certain time of the day. And, after they are received, turn off notifications on your phone. Otherwise, the mere presence of the phone may distract you, remind you of outside things, and cut into the quality of your worktime.