Passwords aren’t broken at all

Computer security in 2014

Passwords aren’t broken at all

Yesterday I tweeted this:

and when I went to login to my Amazon Web Services account this morning, I realized how tedious the entire process is. Here’s the full flow of getting to my AWS dashboard.

  1. Open in a browser.
  2. Find login link in upper right submenu option.
  3. Wait for my password manager (LastPass) to auto-fill my details since I don’t even know what my long, complex auto-generated password is.
  4. 2-step auth screen pops up for Amazon.
  5. Unlock iPhone with my thumbprint (often takes a couple tries).
  6. Find Utilities folder on my phone and open it.
  7. Open up my Google Authenticator 2-step auth manager app.
  8. Scroll down to find an unlabeled generated number with an obscure title (every other service has their own obvious easy to read title).
  9. Enter number (if there’s enough time still left! Otherwise, wait) into the AWS 2-step page, hit Sign-In button.
  10. Begin using AWS normally.

If I was using a new laptop or a new phone, there are a dozen extra steps to authenticate each device in order to handle loading and running a password manager and the 2-step auth number generator.

Additionally, I use about a half-dozen 2-step auth services that use SMS instead of an authenticated app. This feels even more tedious since you have to click a button on their login page to generate a SMS code. Wait by your phone for about 30 seconds for it to show up. Open the new SMS and type in the numbers before your phone screen goes to sleep, and then use the serivce (while ignoring the pile of pointless only-good-for-five-minutes texts stacking up on your phone).

I know security is important, and I understand why each and every step in this long chain is required, but having to do these 10 steps several times a day with half a dozen different services is tedious to say the least.

What using 2-step auth feels like

I wish there was an easier, but still secure way.