Is it really so crazy to suspect that authenticators might also be designed to generate memorable passcodes?Ĭrazy? No. Psychologists call this last approach chunking, and it's a powerful technique for improving memory and retrieval (a classic practical example is the way we partition telephone numbers) presenting information in chunks significantly increases a person's odds of recalling it.Īll of which is to say: Security engineers do think about the 2FA experience and how they might reduce the cognitive load on a user's working memory. It also divides six-digit codes into two, three-digit groups. Authentication services on smartphones smooth the copy/paste and memorize/recall speed bumps in other ways: Google's Authenticator app allows users to copy their 2FA codes with a quick tap instead of the typical long-press. So it stands to reason that memorable passcodes would beget a more seamless user experience.Īnd, in fact, user experience is why browser extensions like Authy let users access 2FA tokens directly from their computers, without having to copy and paste them, or memorize them on one device before re-entering them on another. The main reason, according to him? It's inconvenient. At January's Enigma security conference, Google security engineer Grzegorz Milka revealed that fewer than 10 percent of active Google users avail themselves of 2FA.
![rng reporter profile rng reporter profile](https://i586.photobucket.com/albums/ss303/Pikapwn25/JavaRNG2001.jpg)
And nominally, I agree: Some sort of cognitive bias seems like a way more plausible explanation for my memorable passcodes.Īnd yet! Security engineers would have some legitimate incentives to generate more memorable passcodes.
RNG REPORTER PROFILE SERIES
Or consider a series of quarter tosses: Most people are less likely to predict a sequence of five heads than they are something like THTHT-even though each of the 32 possible outcomes of flipping a coin five times has the same probability of occuring: 1/32. And when I asked cognitive psychologist Marisca Milikowski, an expert in people's knowledge of numbers, she said she'd noticed it too. Andy Greenberg, WIRED's senior security writer, told me the thought had crossed his mind. When I mentioned it to my editor, her eyes lit up in recognition. I'm not the only one who's had this sense about 2FA codes. But more often than not, the passcodes that appear in my Google Authenticator app seem tailored to reduce the cognitive burden of storing them in my working memory, the short-term storage bin our brains use to stash information for a few precious seconds before forgetting it forever. Occasionally I'll get lemons, like 031 472 or 253 741, which are less appealing in an (admittedly vague) aesthetic sense and more difficult to remember. Elements like single-digit repeats (111 293 134 441) multi-digit repeats (112 222) palindromes (353 595) ascending or descending sequences (345 564) repeating number order (618 514) and combinations thereof (876 565).
![rng reporter profile rng reporter profile](https://edbodmer.com/wp-content/uploads/2021/04/image-8.png)
It began with an observation: My codes often seem to include elements that make them easier to remember. But for some time now, I've harbored a pet conspiracy theory about those codes: Maybe they aren't as random as we're led to believe. You know two-factor authentication tokens, the ephemeral, six-digit numbers you use as a second layer of security when logging into, say, your email? Those constantly updating, randomly generated numbers are one of the easiest ways to protect your accounts from being hacked.