8 Factor Authorization

August 27, 2018 / by Ronald Tichenor

Security is important in crypto. And it is even more important than in traditional financial services because we are responsible for our own security. But some of our current solutions and (hopefully temporary) compromises are getting old quickly.

The idea of 2 Factor Authorization is perfectly understandable and temporarily acceptable. By using two different modes of input or two different devices, it reduces by a huge degree the threat of someone being able to get into our accounts. It’s not 100% ironclad, of course, but it’s pretty strong. As long as we as consumers have second factor options to choose from and the option whether to enable 2FA at all, we can manage the risk vs the hassle.

But there are some new factors creeping in to the equation.

Recently, while logging in to crypto exchanges, they all (seemingly) have been including a Captcha. I’m sure you’ve seen it, you have to click the box to prove that you are human and not a robot. This additional step is actually an authorization factor. It protects the website but also you as the consumer. And we don’t have a choice anyway, so we put up with it.

Once in a while doing a Captcha is not a big deal, but when you have to do it every time it’s essentially becoming a third factor. And they don’t get better, they get worse. Just clicking the box is easy, but then you start getting these 9 box pictures where you have to choose the pictures with bicycles or bridges. It’s especially annoying when it doesn’t like your choices, or it just doesn’t take and you have to do it again.

I once had to do it 9 times. I’ll repeat that because it bears repeating. 9 times. I chose the school buses, submitted, it didn’t like it and it gave me another set of pictures to choose the motorcycles. Then road signs. Then cars, store fronts, mountains etc. I went through 9 of those before it finally accepted that I was human. I had to finish it just to see how far it would go. I was committed.

Binance actually has this factor built in to their login process with their little puzzle piece. It’s significantly more advanced and effective than the ‘I am not a bot’ button and should outwit actual bots and their creators for some time. And it’s far better than the wretched Captcha pictures. I think this shows how far ahead of the curve Binance is. Good on them. The bonus is the endorphin rush that we get during the 1.2 seconds we managed to complete the 1-piece puzzle faster than 99% of other users. Yay.

But wait, there’s more.

The consistently worst experience I’ve been having lately is with Bittrex. After putting in my username and password, completing the Captcha, and Google Authenticator (which I am now arguing is the third factor), the website comes up with a fourth factor – the IP check. You may have seen this as well, as it says that it doesn’t recognize your device and requests you to sign in to your email and click the confirmation link to login.

It’s not the device, it’s the IP address. It didn’t like it because either it wants me to use the same IP address every time, or it didn’t like what country it was in, or probably because it recognizes the IP address as one belonging to a VPN service. (Some companies restrict those IP addresses.)

So, let me get this straight – I use a VPN service which gives me better security and they penalize me for it. Anger.

Here’s where the fourth factor kicks in. Since they didn’t like my IP address, I now have to open my email account and click the confirmation link they sent me. I suspect you’ve had to do this at some point too. But here’s where Bittrex got this completely wrong. I click on the link and they send me back to the login page to start over again. All of it. 4 factors the first time – Password, Captcha, Google Authenticator, IP check – and four more a second time around.

There’s my 8 Factor Authorization experience. Not just once, but every time I logged in to Bittrex over the course of about two weeks.

Other exchanges and accounts have added some of these factors as well, I’m not just picking on Bittrex. For example, Coinbase does the IP check and email confirmation, but at least actually opens the page automatically once you click the link, so, for them it was only 3 factors, with no Captcha and no repeat. But still annoying.

I don’t have anything more than 2FA with any of my traditional financial institutions – banks, brokerages, credit card companies, insurance companies etc., and some of them don’t even have a second factor. Only with crypto. The reasons for this are complex and understandable.

But, we need to get past this. We need decentralized solutions such as Civic, uPort, or some other identity authentication protocol. It’s one of the many obstacles that have to be overcome to pave the way for mass adoption. 3FA, 4FA, or 8FA can’t become the standard. We need better solutions.