It seems that everyone is offering some kind of MFA or TFA these days. Microsoft is doing it, Google is doing it, Yahoo is doing it, Evernote is doing it, facebook is doing it, Twitter is doing it, Lastpass is doing it, and the list goes on. MFA/TFA helps secure a resource beyond your typical username and password. A username is who you are. A password is something you know. And with MFA/TFA you now add something you have in your possession, say a cell phone. The process is you attempt to usually logon as normal. Before the logon process completes you will have to do something else with your device that you only have in your possession. That could be answering a call and hitting #, replying to a text message, typing in some numbers on the webpage your cell phone generated, or typing in some numbers on the webpage that was texted to you. What’s nice is if someone does not have all three key pieces of information they won’t be able to logon (username, password, access to device). Where MFA/TFA does cause a bit of a problem is with applications that are not smart enough to handle MFA/TFA or do not support MFA/TFA. These applications can be on PCs, MACs, Windows phones, iPhones, Android phones, Kindle devices, Nook devices, tablets, Slates, pretty much anything that is not a web browser. Some of these apps could be Outlook, Lync, Word, Excel, etc. So the question is how can I have these applications work when MFA/TFA is being used? That’s done using application passwords. An application password is computer generated strong password that you assign to applications that can’t use MFA/TFA. Usually users can not pick or choose what they want their app passwords to be.
There are two models with application passwords. One would be to have a single password for all your devices. The advantage of this is there are less passwords so less chance of someone figuring out the complex password. The disadvantage is if you lose one of your devices you would have to reset your application password then go through every device and change the passwords.
The other way is to have an application password for each device. The advantage of this is if you lose a device you can delete the application password for that device only(if supported)and not have to mess with your other devices. The disadvantage is now you have more passwords to manage and since there are more generated complex passwords there are more chances for someone to figure out a password.
Personally and professionally I like the one application password model. If I lose a device I can kill the single application password and generate a new one. I would then have to take some time to change the passwords on all of my devices but since I’m in IT it wouldn’t be a problem for me, just time consuming.
If you have a user that loses devices often or is not very technical the multiple application password per device might be better for them. If they lose a device kill that app password and issue a new one for their replacement device. Less work for them and the help desk.
Depending on the service provider you may or may not be able to manage your application passwords one by one. The vendor might allow multiple application passwords but you can not delete one. You would have to delete all of them. Another vendor might allow only a single application password. Another vendor might allow you to create multiple application passwords where you can manage each one. Below are a few examples of how each website does their app passwords.
Microsoft Account. With Microsoft’s account you can create multiple app passwords but you can not manage them individually.
Windows Azure. With Windows Azure you can create and manage each app password.
Yahoo. With Yahoo you can create and manage each app password.
Gmail. With Gmail you can create and manage each app password.
facebook. With facebook you can create and manage each app password.
We’ll be seeing more and more places use MFA/TFA as time goes on and in doing so we’ll also see more and more talk about app passwords. I encourage everyone to look into MFA/TFA to help protect your resources. Sure it’s more work up front and maybe during the day but I believe it’s needed to protect your accounts.