2 factor authentication - optimum length of code?

Reesy · 11-01-2015 01:37PM #1

Hi,

In the last week I've signed into a bunch of accounts using 2-factor authentication. For the second factor I've had a PIN sent to me by SMS:
- One Irish telco use 4 digits
- One webmail provider used 6 digits
- And this morning a cloud application used 7 digits.

One might argue that the more valuable the data accessed, the longer the string needs to be - but surely in practice, 6 digits are always enough because the 2-factor PIN shouldn't allow more than a few retries?

hmmm · 12-01-2015 12:42PM

The PINs would also have an expiry time set, and most will have brute force protection. All these factors would feed into an optimum length of code, depending on the risk assessment and the sensitivity of what was being protected.

obsidianclock · 23-01-2015 06:24PM

Reesy wrote: »

Hi,

In the last week I've signed into a bunch of accounts using 2-factor authentication. For the second factor I've had a PIN sent to me by SMS:
- One Irish telco use 4 digits
- One webmail provider used 6 digits
- And this morning a cloud application used 7 digits.

One might argue that the more valuable the data accessed, the longer the string needs to be - but surely in practice, 6 digits are always enough because the 2-factor PIN shouldn't allow more than a few retries?

I think you're right Reesy, provided no more than a few retries are allowed, I would say six digits are more than enough.

2 factor authentication - optimum length of code?

Comments