2522: Two-Factor Security Key

Explain xkcd: It's 'cause you're dumb.
Revision as of 07:36, 30 September 2021 by Mneme (talk | contribs) (Explanation: Corrected the original explaination about what two factor authentication was and made it more correct and historically accurate.)
Jump to: navigation, search
Two-Factor Security Key
The bruises on my fingertips are my proof of work.
Title text: The bruises on my fingertips are my proof of work.

Explanation

Two factor security authentication is a semi-recent (about 20-30 years old at least, but only used on popular websites since around 2011) development in security to make it harder to compromise accounts by requiring two disparate authentication forms to be used in tandem. Typically, these days, this is done via a second email address or phone (to receive texts), with authentication programs like Okta and Google Authenticator being somewhat more secure and also pretty popular (and some sites include other approaches; for instance, Google's 2FA allows a method where you have the give you a number of alphanumeric secondary keys you can print out on paper, but each can only ever be used once), but early two factor authentication mostly made use of physical "keys" that would, most often, display a periodically changing number that had to be entered along with your password. "Something you have, something you know" are the usual two factors referred to.

In this strip, Cueball is discussing two factor security keys with Ponytail, telling her that he has finally buckled down and gotten the two factor security keys that she keeps pestering him to get. He goes through (panel 2) the trials that he endured in "installing" the key, all of which seem like plausible trials for setting up two-factor authentication properly. However (in panel 3) it is then revealed that all his work was just the task of installing the key (which looks like several common brands of physical two-factor keys on the market) onto his metal keyring.

Metal keyrings are reliably secure as far as keeping a key attached, but this is in part because of how notoriously difficult it is to add a key to or remove a key from. The rings must be forced apart and held apart while the key traverses however many layers the ring has (usually two or three, though keyrings with more layers are not unheard of). Cueball confidently asserts (to off-screen Ponytail, who from her response probably hasn't yet gotten the joke) that his key is not coming off, indicating both a (well-founded) faith in the keyring's ability to keep his key, and a desire to not go through the same process in reverse. However, presumably, since all his effort was in "installing" the key onto his keychain, he probably hasn't actually set it up on any of his accounts, rendering them just as insecure as they were before he got a two factor key.

The title text has a similar double meaning. Cueball would of course use it to the "proof" of his efforts installing the key--though difficult, metal keyrings can be forced apart physically by human hands, at least if the human in question has fingernails sturdy enough to slip between the rings, at which point the insertion of a finger would be enough to keep it apart until the key is inserted. However, keeping the rings apart can be strenuous on the fingers, and can result in bruising, which Cueball is all too familiar with. Proof of work alludes to the cryptographic concept, which ties (sideways, as proof of work is a security term for a concept intended to deter denial of service and similar volume-based attacks but not directly related) back into the two-factor authentication.

Transcript

Ambox notice.png This transcript is incomplete. Please help editing it! Thanks.
[Cueball and Ponytail stand facing each other.]
Cueball: I got one of those two-factor security keys you've been bugging me about.
Ponytail: Great!
Cueball: It took a lot of work, fiddling with configurations, annoying setbacks, and general pain,
[Closeup on Cueball holding a keychain.]
Cueball: ... but I finally got it onto the metal ring of my keychain.
Ponytail [off-panel]: At least now it's secure.
Cueball: Yeah, this thing is not coming off.


comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!

Discussion

There are 2FA USB keys (WebAuthn, FIDO2, U2F) such as https://shop.nitrokey.com/shop/product/nk-fi2-nitrokey-fido2-55 with a hole to attach a keychain - and the item in the last panel looks a bit like such one Bmwiedemann (talk) 03:48, 30 September 2021 (UTC)

First thing that comes to mind when someone mentions a 2FA security key. 100% most certainly what they are talking about. yubikey/fido2 being the ones that popularized it iirc 172.69.71.177 04:41, 30 September 2021 (UTC)
Yeah, yubikey definitely comes to mind. I wouldn't call 2FA on a phone a 2FA "Key". Perhaps you could call the generator secret a (cryptographic) key, but I don't think that's what this comic is talking about. Jeffkmeng (talk) 06:56, 30 September 2021 (UTC)

2FA tokens are actually quite often physical keys that fit on a keychain and produce a secret number to input for authentication. It is only recently that such 2FA key generators have moved into phones. Here is one example: https://en.wikipedia.org/wiki/RSA_SecurID Adron1111 (talk) 06:41, 30 September 2021 (UTC)

The joke here isn't 2FA key vs tumbler-and-pin key, the joke is that all of the configuration pain he's talking about isn't setting up the key to work with his computer or various sites (which one might expect when introducing a new, non-tech-savvy user to 2FA), but rather getting the key onto his keyring. 172.69.34.67 07:22, 30 September 2021 (UTC)

Haven't put this in the text (I added some practical "what you know/have/are" stuff, from my own past experience) but I first thought it was that two actual factors are now on the keyring (insecurely, as per the current last para?). A 'have' item is obviously there, of whatever form, but now (unless it's a second 'have', supposed to be separate) there is also somehow a 'know' one (c.f. those people who have scrawled their bank-card PINs onto their bank-cards, entirely negating that particular safety-factor) or an 'are' one (bits of fingerprint? blood samples?). Possibly now imposssible to use (if not trivially easy to co-steal). Plus, remember that data security has two faces: 1) Only those authorised may access/change data; 2) Those who are authorised should not be deprived of this ability. It is commonly the second that require a second factor (separate email/phone contact) to get around problems with the first (forgotten password), though it isn't really an everyday 2FA application, just a backup 1FA method (as with "Name of first pet", etc). 172.70.34.191 10:14, 30 September 2021 (UTC)

My immidiate take was that Ponytail was being sarcastic . . . . 172.70.130.209 10:53, 30 September 2021 (UTC)

wow you guys finished the explanation already? nice

This explanation needs a link to the Wikipedia entry for Security token, because that is clearly what Cueball is putting on his keyring here. 162.158.203.24 14:14, 30 September 2021 (UTC) Ouch. The Cleanup and some other lesser pruning was clearly necessary, definitely, but expunged a number of perhaps more interesting key points in the process, that I might have more explicitly made if given a nearly blank sheet. (e.g.: occasional verification by external email is not 'traditional' 2FA, really just 2ndF(re-)A but may have become thought of as it.) 141.101.107.229 12:33, 1 October 2021 (UTC)

Wouldn't it be amazing if we had to use 2FA for important stuff, like voting. Seebert (talk) 13:28, 1 October 2021 (UTC)

Don't give the GOP ideas. Since voter fraud is a negligible problem, it would be amazing if anyone thought 2FA were needed. Barmar (talk) 13:51, 1 October 2021 (UTC)

My initial thought was that the joke is that the token isn't actually a fob with a slot for a keyring, and Cueball had to mangle it to install it, possibly rendering it non-functional. Barmar (talk) 13:51, 1 October 2021 (UTC)


I came to explainxkcd to find out what "proof of work" was.
The definition currently given is: "a security term for a concept intended to deter denial of service and similar volume-based attacks".
So... "proof of work" is something called a "security term" for a particular concept. And the concept itself, is (somehow) intended to deter "denial of service and similar volume based attacks"... whatever those are...?
Remember, I'm just an average person, I only know the chemical formulas for olivine and one or two feldspars and I'm here because I'm dumb. mezimm 172.69.71.143 17:00, 1 October 2021 (UTC)

"from her response probably hasn't yet gotten the joke" - this assumes far more ignorance/stupidity on the part of the character than she ever normally exhibits. To me, XKCD is filled with layered "ironic" speech rather than literals. Her answer "at least now it's secure" makes no sense as a response if she is taking his statement at face value, rather than facetiously responding tongue-in-cheek. But I see this kind of projected-ignorance so often in the explanations here, I'm not even sure if it's worth fixing when I see it. Especially because it feels hard to explain layered speech to people who don't use it, every time it happens :( --172.69.71.163 18:43, 1 October 2021 (UTC)

I don't really know anything about electronic or cryptography keys, but it seems to me that (1) their use started from the idea of two actual keys to launch nukes or something like in old movies, and (2) that is what Cueball actually installed, but put both one one Keychain making them useless, because they have to be turned simultaneously by two people ten feet apart or whatever, yes? Mathmannix (talk) 12:04, 2 October 2021 (UTC)

I really went on a bender as I transplanted the "What kinds of things can be Factors" information out of the Explanation. It's there for those who think they'd like to know more, but I also know I don't know everything (nor did I render absolutely everything I could), and yet also I'm rather chatty and prosaic and I must apologise for that. (Though, looking at the comment immediately above, darnit, I was going to also mention dual-nuclear-keys as a Two (Semi-Identical) Factor situation.) I also thought there was too much blue (or, rather, visited-link hue) if I was to Wikilink/Nonwikilink absolutely everything I could have. I invite anyone who is bothered to knock it more into shape. Or revert it back, if you feel strongly enough about it yet apathetic enough about getting trying your own version. Otherwise: Enjoy! 141.101.107.229 21:30, 2 October 2021 (UTC)


What the hell is "Proof of Work"?? Tried to figure it out from the explanation and I'm still confused. ELI5? --mezimm 172.70.126.211 14:42, 8 November 2021 (UTC)