Living the Two Factor Life

One of the things I feel like I contribute to the world as a blogger is to test out tools and techniques that are still pretty new, but that I feel like everyone will be using in time. I suggest that two factor authentication is one of those things.

Quickly, the idea here is that in order to have a secure online life, there needs to be two separate keys: a thing you know – a password or passphrase, and a thing you have – a hardware token or, more recently, your phone.

I decided to go all in and turn on two-factor auth everywhere that offered it.

  • My bank and Paypal. These two send SMS messages to my phone with a code. Works pretty seamlessly except the other day I really needed access to Paypal and the message took over 30 minutes to arrive.
  • Gmail. I have a personal account and a business account. Jeff Atwood has instructions on how to set this up here: Google uses SMS codes for this too, but the catch is that it also means that every touch point to your account that doesn’t support two-factor directly needs to have a custom password generated via the pages. Once you wrap your head around the idea, it is pretty easy, but if you have multiple computers it will take a little while to get them all hooked up.
  • Lastpass. I’ve been a proponent of Lastpass for a long time and they even offer multiple methods of achieving two-factor auth. I opted for Google Authenticator which is an iphone app that spits out a 6 digit code every minute or so. This is similar to the RSA keys that you might have seen in the enterprise world. Of all the tools I use, I’ve found this to be the easiest to use.
  • Duo Security. I’m trying this out on my Windows laptop. It installs at a pretty low level and requires a code at login. They too offer multiple methods including a system that calls your phone and you have to hit #. I use the iphone app method called Duo Mobile. So far, this one has caused me the most headaches. My wife has an account on this same computer and she was unable to log in at all even with the app installed and configured. It also seems to require an internet connection, so in theory bypassing the check would just be as simple as flicking off the hardware wifi switch. But all that aside, this is the future and these guys seem like they are in the lead to make this happen. These troubles are just the price I pay for being an early adopter.

My advice would be to set up Lastpass (right now!), choose a good pass phrase and enable two factor auth using the Google Authenticator. Once you’ve done that you can change your passwords across the web using the Lastpass auto generator tool and that is going to get you 95% of the security anyone would need.


Setting expectations with design the bad way.

Wired has a nice article about Uber in this month’s issue and in it they mention GetAround which is a peer to peer car lending service. I’m looking to rent a car for the month of August and I thought to myself, “Hey, someone who goes on vacation for the month of August might leave their car behind and might want to rent it out” so I checkout the site.

I fire up the site and am greeted with a classic example of 2012 modern elegant web design. Every pixel is placed according to a designer’s eye and the whole thing exudes confidence in the product.

Which is bad.

Nowhere on the site does it say “this site is brand new and to be honest, we don’t really have a lot of cars available yet, but if you like this idea, join the site, give us feedback and be part of the community”. Which is what it should say.

Type in 10036 for New York, NY and you get zero cars. Okay, maybe Manhattan is too car hostile, let’s try a random town in New Jersey – the most densely populated state in the nation FWIW and you get zero cars. 

Crunchbase says Getaround raised $5.13M in seed funding and I understand they need to spend that money quickly if they are going to impress those investors and fend off competitors, but there is a fundamental disconnect at play here.

I’m not picking on these guys, I had the same reaction with Foodspotting.

I wanted to love Foodspotting and the design drew me in right away when they first launched. My last startup was focused on reviews and I am a little obsessed with the idea of doing per-dish reviews. The problem is that as soon as you set the expectation that the site is executed flawlessly and professionally, as soon as the user encounters a bug, something that hasn’t been thought through properly or just a lack of user traction there is a huge disconnect and I believe that is harmful to the site’s prospects.

It is easy to find counter examples. Take a look at Twitter in 2006:

source: How 20 popular websites looked when they launched

Imagine if Twitter launched instead with what they have now and featured language like “Twitter lends itself to cause and action. Every day, we are inspired by stories of people using Twitter to help make the world a better place in unexpected ways.” and you went on and it was just Ev and Biz talking about the weather in San Francisco.