https://www.explainxkcd.com/wiki/api.php?action=feedcontributions&feedformat=atom&user=D0dexplain xkcd - User contributions [en]2026-05-17T13:20:45ZUser contributionsMediaWiki 1.30.0https://www.explainxkcd.com/wiki/index.php?title=2522:_Two-Factor_Security_Key&diff=2186782522: Two-Factor Security Key2021-09-30T08:41:14Z<p>D0d: /* Explanation */</p>
<hr />
<div>{{comic<br />
| number = 2522<br />
| date = September 29, 2021<br />
| title = Two-Factor Security Key<br />
| image = two_factor_security_key.png<br />
| titletext = The bruises on my fingertips are my proof of work.<br />
}}<br />
<br />
==Explanation==<br />
Two factor security authentication is a semi-recent (about 20-30 years old at least, but only used on popular websites since around 2011) development in security to make it harder to compromise accounts by requiring two disparate authentication forms to be used in tandem. Typically, these days, this is done via a second email address or phone (to receive texts), with authentication programs like Okta and Google Authenticator being somewhat more secure and also pretty popular (and some sites include other approaches; for instance, Google's 2FA allows a method where you have the give you a number of alphanumeric secondary keys you can print out on paper, but each can only ever be used once), but early two factor authentication mostly made use of physical "keys" that would, most often, display a periodically changing number that had to be entered along with your password. "Something you have, something you know" are the usual two factors referred to. <br />
<br />
In this strip, Cueball is discussing two factor security keys with Ponytail, telling her that he has finally buckled down and gotten the two factor security keys that she keeps pestering him to get. He goes through (panel 2) the trials that he endured in "installing" the key, all of which seem like plausible trials for setting up two-factor authentication properly. However (in panel 3) it is then revealed that all his work was just the task of installing the key (which looks like several common brands of physical two-factor keys on the market) onto his metal keyring.<br />
<br />
Metal keyrings are reliably secure as far as keeping a key attached {{Citation needed}}, but this is in part because of how notoriously difficult it is to add a key to or remove a key from. The rings must be forced apart and ''held'' apart while the key traverses however many layers the ring has (usually two or three, though keyrings with more layers are not unheard of). Cueball confidently asserts (to off-screen Ponytail, who from her response probably hasn't yet gotten the joke) that his key is ''not'' coming off, indicating both a (well-founded) faith in the keyring's ability to keep his key, and a desire to not go through the same process in reverse. However, presumably, since all his effort was in "installing" the key onto his keychain, he probably hasn't actually set it up on any of his accounts, rendering them just as insecure as they were before he got a two factor key.<br />
<br />
The title text has a similar double meaning. Cueball would of course use it to the "proof" of his efforts installing the key--though difficult, metal keyrings can be forced apart physically by human hands, at least if the human in question has fingernails sturdy enough to slip between the rings, at which point the insertion of a finger would be enough to keep it apart until the key is inserted. However, keeping the rings apart can be strenuous on the fingers, and can result in bruising, which Cueball is all too familiar with. {{w|Proof of work}} alludes to the cryptographic concept, which ties (sideways, as proof of work is a security term for a concept intended to deter denial of service and similar volume-based attacks but not directly related) back into the two-factor authentication.<br />
<br />
Additionally a third meaning could be that while he spend a lot of time setting up 2FA he totally overlooked the possibility of him loosing his whole keychain thus locking him out of all the services that requires 2FA if he didn't set up yet another layer of backup.<br />
<br />
Worth noting is the not all that uncommon habit of keeping all of one's keys together in the same place, which allows a single point of entry for an attacker to obtain all of the victim's keys all at once.<br />
<br />
==Transcript==<br />
{{incomplete transcript|Do NOT delete this tag too soon.}}<br />
:[Cueball and Ponytail stand facing each other.]<br />
:Cueball: I got one of those two-factor security keys you've been bugging me about.<br />
:Ponytail: Great!<br />
<br />
:Cueball: It took a lot of work, fiddling with configurations, annoying setbacks, and general pain,<br />
<br />
:[Closeup on Cueball holding a keychain.]<br />
:Cueball: ... but I '''finally''' got it onto the metal ring of my keychain.<br />
:Ponytail [off-panel]: At least now it's secure.<br />
:Cueball: Yeah, this thing is '''not''' coming off.<br />
<br />
{{comic discussion}}</div>D0d