An Article About Authentication

Let’s talk passwords, those little secret codes that let a computer verify you are who you say you are. Without these little guys anyone could walk up to a computer system and say “ I’m John Smith! Let me into my account,” and a computer would happily accept that as good enough Thank goodness that is not how it works!  We all know that the computer will in return ask you, “OK, what’s the password for John Smith?” before giving you access.

This works pretty darn well, but this authentication method has been around a long, long time (thousands of years).  These little tokens of authentication have shown their age and are not fairing well on the Internet, where automated brute force attacks happen regularly and people who setup the same password on multiple accounts exacerbate the issue.

It’s time to face the music, passwords are old news, and have long since been abused as an authentication method.  Knowing or being able to guess just one thing that authenticates you with a computer isn’t enough to protect you from the bad people who are trying to do bad things to your stuff!

What is a better solution?  Multi Factor Authentication.  The simple definition: you need to know your password plus one or more other things that authenticate you are who you say you are.

Don’t worry, we have you covered. You can enable Google Authenticator as a multi factor authentication option for logging in to your DreamHost panel. More details on how Google Authenticator works with our panel can be found here: http://wiki.dreamhost.com/Enabling_Multifactor_Authentication

Hurry! Go enable multi factor authentication, all the cool kids are doing it, or enable it because you want to be the first kid on the block with the hottest new tricked out authentication method. Here is the direct link to the panel’s Billing => Security page where it can be turned on. What are you waiting for?

We have provided a “close to multi factor authentication” option in our panel for years already called “IP locking”.  It only requires an email verification when a new IP address logs in to your panel and it has been a good option so far, but we knew we could offer better.  Google Authenticator is a second multi factor authentication option.

I would not do you the disservice on skipping a more detailed explanation on Multi Factor Authentication.

Here is a no holds barred description: When you need to authenticate with a computer system that has multi factor authentication you type in your login and the computer will ask you for the password (something you know) as well as another token (something other than something you know) that verifies you are who you say you are. This second token can be something you have (such as a special token) or somewhere you are (on the internet, this would be your IP address.) or even something you are (biometric scanners). We offer the “something you have” (your device running google authenticator) or somewhere you are (IP locking.) You can turn on both, either or leave it with just plain old password authentication.

Recycling the example provided earlier, let’s show you how it works:

Single factor authentication:

<Anonymous visitor> “Hello computer, I’m John Smith! Please let me into my account.”
<Computer> “OK, what’s the password for John Smith?”
<Anonymous visitor> “password”
<Computer> “Welcome Mr. Smith!”

Maybe John should have chosen a less guessable password?
Let’s re try that again with Multi Factor Authentication:

<Anonymous visitor> “Hello computer, I’m John Smith! Please let me into my account.”
<Computer> “OK, I’ve never seen you log in from your computer. Please let me know what the temporary token displayed on your Google Authenticator device currently is and your account password.”
<Anonymous visitor> “uh … password?”
<Computer> “Access Denied”

And the real John Smith

<John Smith> “Hello computer, I’m John Smith! Please let me into my account.”
<Computer> “OK, I’ve never seen you log in from your computer. Please let me know what the temporary token displayed on your Google Authenticator device currently is and your account password.”
<John Smith> “Sure, it’s 828277 and the password is password”
<Computer> “Welcome Mr. Smith!”
<John Smith> “Hey computer, that was mildly inconvenient can you please remember that this computer is actually me for a while?”
<Computer> “No problem Mr. Smith, I will only ask you your password next time you log in from this same computer.”

While John Smith still had the same easily guessable password (this is not an excuse to use guessable passwords), the Google Authenticator step saved them from being compromised.