PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Two-Factor Is Too Hard? It Needn't Be

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

One problem with passwords for security is that the bad guys can guess simple passwords, yet the good guys can't remember strong passwords. You can solve that one by installing and using a password manager. The other problem is worse, in a way. Anybody who knows your password, no matter who or where they are, can use it to unlock your account. Two-factor authentication is the vaunted solution to the second problem…but there's a new problem.

Two Factor is Too Hard
The important thing about two-factor authentication is that it buttresses the password (something you know) with biometric technology (something you are) or some kind of device-based solution (something you have). So far, though, many two-factor solutions are just enough trouble users reject them.

Biometric implementations typically take the form of fingerprint authentication. First, that means they're only good for devices that include a fingerprint reader. Second, you typically need to enroll multiple fingers on each device where you'll be authenticating. Don't get me wrong, biometrics can be great. Touch ID is one of the best things about my iPhone 6, but it doesn't help me on other devices.

Google Authenticator, Twilio Authy, and various SMS-based solutions make your smartphone part of the login experience. After entering your password, you receive a notification containing a one-time code to complete the authentication process. Right. So, enter the password, dredge your phone out of pocket or purse, peer at it while entering the code (hurry; those codes are only good for a short while). That's not a smooth experience.

You authenticate with the FIDO 2FA Security Key by inserting it in the USB drive and touching its button. Here again, you have to drag the device out of wherever you keep it and stick it in the drive. Oh, and if the device you're using doesn't support USB? Ooops.

A New Simplicity
Couldn't it be easier than that? Couldn't your possession of the smartphone be considered enough? The folks behind the Keeper Password Manager think so. Just released, the new Keeper DNA authentication system requires just a tap. You'll still have to whip out your smartphone, but you no longer need to poke at the keys to enter a code. And those using the Apple Watch can authenticate with a twist of the wrist and a tap.

Not to be left behind, Twilio has just announced Authy OneTouch, which works just like Keeper DNA and also supports the Apple Watch. It will be a little while before app vendors and websites actually implement Authy OneTouch, but the company is confident that it will "soon become the standard for push authentication everywhere."

Everybody wants their privacy and security protected, but nobody wants to spend a lot of time and effort. Any time security solution introduces extra steps or other sorts of "friction," users will reject it. I'm impressed by the streamlined new approach taken by Keeper and Authy; I hope other vendors keep simplicity in mind.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio