Two-Step Authentication Is Too Complicated for Many People

Apple’s recent nude selfie hack illustrated the need for two-step or two-factor authentication (TFA) as a way of hardening the protection for online accounts. You may be familiar with this from banks, some of which use systems where you generate a one-time authentication code that you enter together with your password. It ensures that access to your account requires both something you know (your password) and something you have (a device that generates a code; an app; a cellphone to receive a code by SMS).

Here’s how Apple explains the process:

Safari001.png

In practice, however, this is problematic. I use TFA on Dropbox; whenever I log into Dropbox on a new device, I immediately get a code sent to my iPhone. I enter that code, and I can access my files. But, the other day, I tried to turn on TFA for Google. I went to step 1, where I entered my user name and password, then step 2, where I gave them my cellphone number. Then I waited; and waited. I then clicked a link saying I hadn’t received the code, and I clicked a link to have it sent again. And again. Then the Google site recommended I have them send a voice mail instead of a text message. I waited. And I waited. I finally got a voice call with the code, but when I entered it, it had already expired. I never got any of the text messages, which I requested four times. Needless to say, the way Google works, I would be effectively locked out of my account with no way at all to get back in.

I’ve thought about activating TFA for my iCloud account, but have you ever looked at Apple’s FAQ for two-step verification for an Apple ID? I make my living writing about computers, and telling people how to use them, and I’m daunted by this page. I once started the process, but it was so scary – full of warnings that if I didn’t print out the Recovery Key, I might never be able to get access to my iCloud data. Needless to say, I gave up.

Two-factor authentication is a powerful tool; my bank uses this, and a banker told me that, since they introduced it, fraud has essentially disappeared. But the way it is implemented for online accounts is problematic, and dangerous. Accessing my data is far too important to trust to a system that can go wrong, as Google’s did, or that is too confusing, as Apple’s is. There has to be a better way.

Stop Safari from Asking You if You Want Notifications from Websites

Are you annoyed by Safari asking you if you want to get push notifications from some websites? Here’s how you can turn those messages off.

Safari for OS X has a feature called Push Notifications, which lets you get notifications on your Mac – banners or alerts – when a web site wants to let you know about a great new article. I find these quite annoying, and I’ve turned them off, but I realized recently that a lot of people don’t know how to keep Safari from displaying the dialog.

When you go to a website that uses this feature, you’ll see a sheet in Safari like this:

Safari004.png

It’s annoying to have to click Don’t Allow each time you land on a website using Push Notifications, but you can turn these dialogs off in Safari’s preferences. Choose Safari > Preferences, then click on Notifications. Uncheck the option at the bottom, Allow websites to ask for permission to send push notifications.

Safari001.png

If you’ve already allowed certain websites, you’ll still get notifications; you just won’t get asked any more. And you can remove any of the websites that have asked – whether you have allowed or denied these notifications – by selecting them in the same window, then clicking Remove, or nuke them all by clicking Remove All.