RT Cunningham

Authentication and Encryption – Keys to the Kingdom

Authentication and encryption go together. Well, they should even when some developers don’t think it’s worth the effort. If we fail to secure something that requires it, we may as well hand over the keys to the kingdom.

Two-factor authentication and end-to-end encryption are both overkill for some applications. I’ll touch on that shortly.

Two-Factor Authentication

I’m not familiar with many two-factor authentication implementations. The most common is a password and SMS code combination. It’s fine when processing a registration or something similar, but it can become costly for the people sending the SMS messages out if it’s done frequently for logins and such.

The less expensive way is to use an authentication application on a cell phone. Google Authenticator, Authy and Duo are a few I’m familiar with. Of the three, I like Authy the best. It’s what I use, along with a password, to get access to my DigitalOcean account.

Two-factor authentication, in my opinion, is best used when applications and websites deal with money or are capable of doing a lot of damage. Your average blog or article site doesn’t need that kind of security. In those cases, frequent backups are way more important.

If you keep proper backups, you can restore a website in a matter of minutes. I keep three days of revolving backups for everything I consider important. I don’t like rebuilding anything from scratch and yes, I’ve had to do exactly that more than once.

End-to-End Encryption and Secure Email

When I wrote about getting rid of passwords, I was talking about using email to authenticate logins. My sole commenter was confused by what I wrote and thought I meant logging in with only an email address.

I don’t always explain what I mean in a way that others can comprehend. For that, I’m truly sorry. I’ll try again.

Instead of using a user name and password combination to log in, you can use a user name and email authentication combination. In some cases, the email address is the user name. After thinking about it, I don’t think using an email address as a user name is a good idea. For various reasons.

Email isn’t secure unless it’s read in one of two ways: 1) It’s read directly at an HTTPS website, or 2) It’s retrieved by an email client using TLS only. Even then, it may not be completely secure.

The only way to guarantee email can’t be intercepted and read is to use an e-mail service that specializes in end-to-end encryption. A service like that isn’t expensive but it isn’t necessary for most people.

The Platform Defines the Necessity for Authentication and Encryption

I’ve done quite a bit of research during the last couple of weeks. I’ve tested more than one service for authentication and more than one for encryption. While I can appreciate locking down some things, locking down other things is nothing more than a bunch of painful routines.

Cell phone applications need more security than desktop applications. Cell phones get lost or stolen far more often than desktop PCs or laptop computers. In most cases, a little common sense goes a long way.

January 31, 2018

You May Also Like: