Csaba Gabor, Ph.D.

Vienna

Web site developer

One problem with single passwords (alluded to) is that there are so many user name / password restrictions that it is virtually impossible to remember them all. For example, some require you to have a password (PIN) of exactly four digits while others require six or more, and some require at least a numeral, but no arithmetic sequence of length three. Similarly, I have not been able to use the same account name (for example, when one company manages multiple credit cards, they enforced distinct user names on me). I can't remember these without writing them down. This is a liability - and when you have millions, a liability is the same as a cost. But the cost has been offloaded to me as I am required to take whatever steps necessary to ensure that I will be authenticated. It is not unreasonable to expect a person to remember a small amount of data such as a social security number or maybe a single password. It is unreasonable to expect a person to memorize a distinct datum (user name/password) for each entity (financial institution, online account) that person interacts with.

So what is two-factor authentication? It's a more secure password. There's more to it so it's clearly more secure (password here is used in an encompassing sense. For example, a fingerprint or retinal scan or physical item are effectively passwords). When someone tells you more is better, an important question to ask is, "How much more?" Why not three or four or many more levels? When you answer that, you will have identified the cost of extra password. I won't answer that directly, but instead leave you with a question: Just how much more are you willing to carry around?

Dr. Csaba Gabor from Vienna