Authentication and Encryption – Keys to the Kingdom

authentication and encryption Authentication and encryption go together. Well, they should even when some developers don’t think it’s worth the effort. If we fail to secure something that requires it, we may as well hand over the keys to the kingdom.

Two-factor authentication and end-to-end encryption are both overkill for some applications. I’ll touch on that shortly.

Two-Factor Authentication

I’m not familiar with many two-factor authentication implementations. The most common is a password and SMS code combination. It’s fine when processing a registration or something similar, but it can become costly for the people sending the SMS messages out if it’s done frequently for logins and such.

The less expensive way is to use an authentication application on a cell phone. Google Authenticator, Authy and Duo are a few I’m familiar with. Of the three, I like Authy the best. It’s what I use, along with a password, to get access to my DigitalOcean account.

Two-factor authentication, in my opinion, is best used when applications and websites deal with money or are capable of doing a lot of damage. Your average blog or article site doesn’t need that kind of security. In those cases, frequent backups are way more important.

If you keep proper backups, you can restore a website in a matter of minutes. I keep three days of revolving backups for everything I consider important. I don’t like rebuilding anything from scratch and yes, I’ve had to do exactly that more than once.

End-to-End Encryption and Secure Email

When I wrote about getting rid of passwords, I was talking about using email to authenticate logins. My sole commenter was confused by what I wrote and thought I meant logging in with only an email address.

I don’t always explain what I mean in a way that others can comprehend. For that, I’m truly sorry. I’ll try again.

Instead of using a user name and password combination to log in, you can use a user name and email authentication combination. In some cases, the email address is the user name. After thinking about it, I don’t think using an email address as a user name is a good idea. For various reasons.

Email isn’t secure unless it’s read in one of two ways: 1) It’s read directly at an HTTPS website, or 2) It’s retrieved by an email client using TLS only. Even then, it may not be completely secure.

The only way to guarantee email can’t be intercepted and read is to use an e-mail service that specializes in end-to-end encryption. A service like that isn’t expensive but it isn’t necessary for most people.

The Platform Defines the Necessity for Authentication and Encryption

I’ve done quite a bit of research during the last couple of weeks. I’ve tested more than one service for authentication and more than one for encryption. While I can appreciate locking down some things, locking down other things is nothing more than a bunch of painful routines.

Cell phone applications need more security than desktop applications. Cell phones get lost or stolen far more often than desktop PCs or laptop computers. In most cases, a little common sense goes a long way.

January 31, 2018


Previous and Next Articles:

« »


Your comment will appear below the form when it’s approved. When the page redisplays after hitting the send button (it can take a few seconds), your comment has been sent.

When replying to someone else’s comment, please start the comment with “@” and the name so I can put it in the right place.

Gentleman Jack Darby – January 31, 2018

I think using an e-mail address as a userid, while maybe not optimal, is probably fine in the real world since e-mail addresses are easily remembered and most e-mail addresses are longer than the userids most people would choose on their own, which gives the advantage of being more difficult for the bad guys to guess.

Of course, a userid is only one part of one’s credentials and if one chooses a strong password and uses two-factor authentication when available, the fact that one’s e-mail address might be “public” and might possibly be “well-known” doesn’t make one’s credentials significantly weaker.

And it’s always possible, if one so chooses and doesn’t mind a little more effort, to use a service such as “spamgourmet” to completely hide one’s e-mail address.

One of the reasons that I’d like to see everyone use end-to-end encrypted e-mail is that, unlike too many people, I don’t believe in the notion that “it’s fine if my e-mail isn’t encrypted since I’ve got nothing to hide”. That’s the sort of thinking that contributes to the continued erosion of personal liberty.

One other reason is that if everyone used end-to-end encrypted e-mail, the effort the bad guys would have to expend to get a drop of useful information from a sea of (encrypted) data would grow to the point that most of what the bad guys do would be fruitless and harmless.

End-to-end encrypted e-mail would also save end users from themselves; it’s amazing what I’ve seen in end users’ e-mail while troubleshooting e-mail problems and that’s within a business e-mail system. I shudder to think what users are sending through their personal e-mail services.

I agree that there are end-to-end encrypted e-mail service that aren’t expensive, but I doubt that they will ever be used by most people simply because most people absolutely refuse to pay for e-mail – they honestly believe that e-mail should be free and don’t mind giving up their personal information and dealing with ads to keep it that way.

RT Cunningham – January 31, 2018

You can get end-to-end encryption for free, but it’s tedious to use any implementation that requires extra clicks. A Chrome extension adds E2EE to Gmail. Recipients have to obtain your public key and it’s a slow process all around.

I don’t have private conversations through email anymore, so I’m not worried about encryption. If I can finish something I’m working on, other people won’t either.

Subscribe to Articles by Email

RSS Feed Link

Books by William James Asberry

Comments Policy
Privacy Policy

RTCX established February 28, 2011