Q: May I ask why you advise *not* using two-factor identification? There are a very large way of implementing two-factor. Do you mean a specific implementation, or are you opposed to two-factor in general? I don’t necessarily disagree, but I don’t understand. Curious…
A: Jason, very good question! I am wondering why nobody asked it before? The first reason: password gives you excellent level of security, if system configured to delay more and more after every attempt to login with wrong password. There is no possibility to guess password in reasonable time. But mass service supplier (Google etc) do not use this feature. Why? Interesting question. I configure my systems to block ip after 4 unsuccessful attempts.
The second reason. The only available second factor («what I have») is mobile phone. But, mobile identification makes security more weak — a lot of fraud cases show us that it is very easy to cheat the mobile provider to issue new sim-card, then force user to disclose password. Why all US mass service provider made so called «two factor identification» obligatory? Just to simplify spying after you. Now you cannot create fake account and use it. Every user must be accounted in US control system.
The third argument is that some of mass providers really use three-factor identification. For example, gmail service controls your equipment (computer fingerprints) — it is the 3-rd factor «What I am»; as well it controls your geo-location (4-th factor) and immediately blocks login to your account if discover you logging from the new place or from new device. They did not ask your agreement with such policy. They just use it. So, level of security, configured in every mass service access, is very strange: no blocking or waiting after in the process of trying to use different passwords — it is very convenient for password choosing by generation; obligatory use identification with mobile phone — to exclude anonymity; and controlling your fingerprints and location. Looks nice, isn’t it?
Q: Sergey, what is your opinion on 2FA with hard token?
Bob, I consider more reliable when second factor is geolocation, than hard token. Any thing that you have can be stolen or taken by force. I don’t see any meaning in tokens in such cases.