two factor authentication : Java Glossary


two factor authentication

TFA (Two Factor Authentication) is an additional wrinkle to improve security over ordinary passwords. An optional security feature for Yahoo mail or GMail web mail. In addition to asking your password it requires something else such as a mobile device, hardware token, or a smart card for something you have. Biometric data, such as fingerprints, for something you are, is also an option. One implementation gives a false sense of security from its James Bondian implementation. You have a fob on your keychain, sometimes called a token, with a number that changes every minute to a different random value. It is keyed off an internal clock and a pseudorandom number generator. When you login, you have to give both your password and the current number on the fob.

The advantage is, if someone guesses your password, or steals your fob, but not both, they cannot login.

Online services like Google, Facebook, LastPass, Amazon, Twitter, Apple… make the use of such a device optional. However, you mainly want the extra security primarily on financial sites like banks, credit unions, credit cards, PayPal most of which do not yet support them.

The Achilles heel of this scheme is the server must protect secrets about both your password and the token. Hackers love stealing such secrets. If they break in, they crack both schemes.

Digital Certificates

The solution is to use a scheme that does not require the server to guard any secrets. The US military has long been using such a certificate-based scheme they call CAC (Common Access Card) cards. It is not rocket science. It is immune to hacking since there are no secrets to hack. Industry persists in using password buggy whip-era authentication.

Certificates are amazing. A single card can act as ID, driver’s licence, passport, credit card, debit card, library card, all your passwords, emergency medical records… Perhaps that potential power is what scares people away from them.


Until we have certificates:

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Canadian Mind Products
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number