2522: Two-Factor Security Key

Explain xkcd: It's 'cause you're dumb.
Jump to: navigation, search
Two-Factor Security Key
The bruises on my fingertips are my proof of work.
Title text: The bruises on my fingertips are my proof of work.


Two factor security authentication (also see #Trivia) is something that Ponytail has clearly been talking to Cueball about. In this strip, Cueball is telling her that he has finally buckled down and gotten the two factor security key that she has pestered him to get.

He recites the trials that he endured in "installing" the key, all of which seem plausible configuration issues for setting up a proper two-factor authentication from scratch. However it is then revealed that all this work was just the task of attaching the 'key' (which looks like it could be a common brand of physical two-factor key fob or dongle) onto his metal keyring.

Metal keyrings are reliably secure as far as keeping a key attached, but this is in part because of how notoriously difficult it is to add a key to or remove a key from them. The rings must be forced apart and held apart while the key traverses however many layers the ring has (usually two or three, though keyrings with more layers are not unheard of). Cueball confidently asserts (to off-screen Ponytail, who probably was expecting something more practical) that his key is not coming off, indicating both a (well-founded) faith in the keyring's ability to keep his key, and a desire to not go through the same process in reverse. Presumably all his effort was in "installing" the key onto the keychain, and he probably hasn't actually set it up for any of his accounts, leaving them just as insecure as they were.

The title text has a similar double meaning. Cueball would of course use it to the "proof" of his efforts installing the key--though difficult, metal keyrings can be forced apart physically by human hands, at least if the human in question has fingernails sturdy enough to slip between the rings, at which point the insertion of a finger would be enough to keep it apart until the key is inserted. However, keeping the rings apart can be strenuous on the fingers, and can result in bruising, which Cueball is all too familiar with. Proof of work alludes to the cryptographic concept, which ties (sideways, as proof of work is a security term for a concept intended to deter denial of service and similar volume-based attacks but not directly related) back into the two-factor authentication.

Additionally a third meaning could be that while he spent a lot of time setting up 2FA he totally overlooked the possibility of him losing his whole keychain thus locking him out of all the services that requires 2FA if he didn't set up yet another layer of backup.


[Cueball and Ponytail stand facing each other.]
Cueball: I got one of those two-factor security keys you've been bugging me about.
Ponytail: Great!
[Cueball and Ponytail continue facing each other.]
Cueball: It took a lot of work, fiddling with configurations, annoying setbacks, and general pain,
[Closeup on Cueball holding a keychain.]
Cueball: ... but I finally got it onto the metal ring of my keychain.
Ponytail [off-panel]: At least now it's secure.
Cueball: Yeah, this thing is not coming off.


An authenticaion 'factor' is a distinct method of proving your legitimate use of a service or product. They can be broadly be grouped into three main groups.

  • What you know - Some knowledge that you have to remember. Susceptible to being learnt by someone else, or forgotten by yourself.
    • Passwords (or PINs) are the usual incarnation of this, usually static (although some people may change them periodically, or be required to), overwhelmingly user-chosen.
    • Challenge Questions such as the answer to "What was the name of your first pet?" are given by the user for later supplemental authentication (see below). Such questions and similar Knowledge Based Authentication (for example, the place you live, your social security number, last digits of your banking card, or your yearly income) are considered insecure, because much of such information is either easily guessable, can be scrapped from social networks, or is available on the dark web because of security breaches.
      • It is speculated that the "What is your Porn Name?" game has been used to gain precisely the information required to defeat this security method.
    • Other personal knowledge has been occasionally tried for such uses, such as a grid of sixteen distinct faces (randomly placed) that you know to select (say) your Mother, Cousin Albert, Grandad and your niece Lucy. Others may recognise these (and other red-herrings) but not know the sequence, or be able to easily duplicate it from just observing where on the touchscreen you made contact (as you might with numberpad-entry) in some unguarded situation.
  • What you have - Some physical item that is linked to your authorisation. The possession of the key must be guarded against both theft and loss to continue to be useful.
    • A popular item at one time for financial logins is a numeric key fob. Displaying a rolling code of numbers that change pseudorandomly, synchronously with the expectations of the authentication routine at the server. Any attempt by an eavesdropper to 'replay' a previous code will no longer be valid.
    • A printed set of one-time passwords has a similar intention, gaining technical simplicity but also additional problems/susceptibilities.
    • Hybrid solutions such as Google Authenticator and a possibly similar one from Okta, and other examples of mostly mobile applications (software tokens) implementing some kind of one-time password (OTP) algorithm for authentication.
      • This might be time-based OTP (TOTP), which means that the code is valid only for a short time.
    • Prior to ubiquitous use of the internet (or other dial-in networks), software companies might protect their products with a software protection dongle to replace or augment the more easily-sharable licence keys(/passwords) and enforce the use of no more copies than had been paid for. - With the advent of the connectivity needed, a "phone home" technique has largely replaced the necessity of this, a central server vetting the use (and/or transfer) of sofware between machines. But related technology is a modern implementation that is probably what Cueball's keyringing efforts involve.
    • A device similar to the fob/dongle could also use short-range wireless communications (Bluetooth, RFID, Near-Field Communication or some proprietry method) to indicate the proximity (and identity) of the token to a receptive system. Some high-end car models offer such a system in place of an ignition key for... some absolutely valid reason.[citation needed]
    • With "Remember my password" options in browsers and password managers, ostensibly to prevent over-the-shoulder attacks and/or the prevalence of weak passwords, increasingly the 'known' password has become more of a possession tied to a particular device (and any other device that has been linked by the synchronisation of such internal information).
    • A code sent to a further service, such as emails to a (different) email account, or SMS message to a phone, or push notification sent to a smartphone. Retaining the possession of (and access to) these systems is often left more up to the end-user than with vendor-controlled systems, which can be an issue when used as a fall-back reauthentication method (see below).
    • A non-computing example is the Railway Token, sometimes combined with quite ingenius key-and-lock systems, to enforce safe line-use.
  • What you are - Some quality that relates to your physical person. It may very hard (but not impossible) to lose this, or to have someone else use it. Physical coercion may be the greatest threat to this attempt to maintain security, much as it could be used for the others as well. Until recently, the hardware needed made this more of a cinematic 'solution' (to be foiled by resourceful antagonists/progatonists) or in a limited number of high-security situations, but it has also started to make inroads into consumer use. They are rarely used directly for online verification (though they can be), but more often are used to authorise the device to communicate it's intrinsically possessed verification key (or just to generally use that device).
    • Fingerprint scanners are an old standard, and may even now be able to protect against the Gummy Bear trick.
    • Eye-scanning (using iris, retina or scleral vein patterns) is a favourite movie version, and perhaps possible with sufficiently high-resolution macro-lensed cameras.
    • Facial recognition is certainly possible, and touted, with current technology. With greater or lesser proof against someone wearing a printed 'mask' of the authorised user's face, according to implementation.
    • Voiceprint analysis is sometimes used to verify repeat callers to helplines/service-centres, or at least to weed out the more obvious intended-impersonators.
    • Gait analysis, that analyses the walking action of a person. Perhaps not likely to be so portable a solution.
    • A signature could be considered a (weak) biometric. It is possible to forge a known signature, while a person may be inconstant in each attempt at their own. When done in person it may be more of an esoteric test as to the confidence and fluidity in making the scrawled claim as to your identity - which can also be faked!
    • Similarly, a photo-ID could be taken as a very basic biometric verification. - Though whether it is easier to impersonate a photo (perhaps in a different way from the Facial Recognition exploit) or to forge physical ID to bear (something closer to) your own likeness.

One-Factor Authentication now may trying to avoid the shortcomings of the Password system (including the intervention of a 'remembered' password) by developing passwordless authentication techniques based upon "have/are" factors only.

Two-Factor Authentication was usually the addition of a physical/biometric authentication method to augment each use of a known password/PIN (e.g. the 'rolling token' number).

Conversely, the physical authentication of a bank-card has required backing up by its remembered PIN when used in cash-machines/ATMs. (In shops, checking against the signature written on the same card was for a long time the verification of valid ownership, this recently progressed to Chip-And-Pin, but then in many cases has been superceded by Contactless (NFC) versions, making it a Single-Factor solution in sufficiently low-value transactions.)

Many people may be more familiar with an occasional Second-Factor ReAuthentication, when (for one reason or another) they are no longer able to provide a valid password for some login or other, and activate the "Forgot my password" request which sends a link to their backup email account. Where one is set up, is still active and and you have not also lost the ability to access that. (This is not the situation that Cueball is in, or may be in.) This has largely replaced the infamous "Challenge Question" (though may still be combined with it) probably to defeat replay-attacks or the more clever phishing attacks.

Three-Factor Authentication should really be a "know" and "have" and "are" combination. Imagine the cinematic scene of the 'President' granting authority for a nuclear attack by inserting a physical key into the required device, typing in their code and then presenting their eye to a retinal scanner.

Anything that is (seriously) quoted as Four-Factor, or above, is going to either duplicate the number of required verifications of a similar scope (towards diminishing returns) or is describing a setup of a number of optional methods from which a lesser number would be considered sufficiently valid to provide. e.g. registering all ten finger/thumb-prints in case of some random future digital injury.

comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!


There are 2FA USB keys (WebAuthn, FIDO2, U2F) such as https://shop.nitrokey.com/shop/product/nk-fi2-nitrokey-fido2-55 with a hole to attach a keychain - and the item in the last panel looks a bit like such one Bmwiedemann (talk) 03:48, 30 September 2021 (UTC)

First thing that comes to mind when someone mentions a 2FA security key. 100% most certainly what they are talking about. yubikey/fido2 being the ones that popularized it iirc 04:41, 30 September 2021 (UTC)
Yeah, yubikey definitely comes to mind. I wouldn't call 2FA on a phone a 2FA "Key". Perhaps you could call the generator secret a (cryptographic) key, but I don't think that's what this comic is talking about. Jeffkmeng (talk) 06:56, 30 September 2021 (UTC)

2FA tokens are actually quite often physical keys that fit on a keychain and produce a secret number to input for authentication. It is only recently that such 2FA key generators have moved into phones. Here is one example: https://en.wikipedia.org/wiki/RSA_SecurID Adron1111 (talk) 06:41, 30 September 2021 (UTC)

The joke here isn't 2FA key vs tumbler-and-pin key, the joke is that all of the configuration pain he's talking about isn't setting up the key to work with his computer or various sites (which one might expect when introducing a new, non-tech-savvy user to 2FA), but rather getting the key onto his keyring. 07:22, 30 September 2021 (UTC)

Haven't put this in the text (I added some practical "what you know/have/are" stuff, from my own past experience) but I first thought it was that two actual factors are now on the keyring (insecurely, as per the current last para?). A 'have' item is obviously there, of whatever form, but now (unless it's a second 'have', supposed to be separate) there is also somehow a 'know' one (c.f. those people who have scrawled their bank-card PINs onto their bank-cards, entirely negating that particular safety-factor) or an 'are' one (bits of fingerprint? blood samples?). Possibly now imposssible to use (if not trivially easy to co-steal). Plus, remember that data security has two faces: 1) Only those authorised may access/change data; 2) Those who are authorised should not be deprived of this ability. It is commonly the second that require a second factor (separate email/phone contact) to get around problems with the first (forgotten password), though it isn't really an everyday 2FA application, just a backup 1FA method (as with "Name of first pet", etc). 10:14, 30 September 2021 (UTC)

My immidiate take was that Ponytail was being sarcastic . . . . 10:53, 30 September 2021 (UTC)

wow you guys finished the explanation already? nice

This explanation needs a link to the Wikipedia entry for Security token, because that is clearly what Cueball is putting on his keyring here. 14:14, 30 September 2021 (UTC) Ouch. The Cleanup and some other lesser pruning was clearly necessary, definitely, but expunged a number of perhaps more interesting key points in the process, that I might have more explicitly made if given a nearly blank sheet. (e.g.: occasional verification by external email is not 'traditional' 2FA, really just 2ndF(re-)A but may have become thought of as it.) 12:33, 1 October 2021 (UTC)

Wouldn't it be amazing if we had to use 2FA for important stuff, like voting. Seebert (talk) 13:28, 1 October 2021 (UTC)

Don't give the GOP ideas. Since voter fraud is a negligible problem, it would be amazing if anyone thought 2FA were needed. Barmar (talk) 13:51, 1 October 2021 (UTC)

My initial thought was that the joke is that the token isn't actually a fob with a slot for a keyring, and Cueball had to mangle it to install it, possibly rendering it non-functional. Barmar (talk) 13:51, 1 October 2021 (UTC)

I came to explainxkcd to find out what "proof of work" was.
The definition currently given is: "a security term for a concept intended to deter denial of service and similar volume-based attacks".
So... "proof of work" is something called a "security term" for a particular concept. And the concept itself, is (somehow) intended to deter "denial of service and similar volume based attacks"... whatever those are...?
Remember, I'm just an average person, I only know the chemical formulas for olivine and one or two feldspars and I'm here because I'm dumb. mezimm 17:00, 1 October 2021 (UTC)

"from her response probably hasn't yet gotten the joke" - this assumes far more ignorance/stupidity on the part of the character than she ever normally exhibits. To me, XKCD is filled with layered "ironic" speech rather than literals. Her answer "at least now it's secure" makes no sense as a response if she is taking his statement at face value, rather than facetiously responding tongue-in-cheek. But I see this kind of projected-ignorance so often in the explanations here, I'm not even sure if it's worth fixing when I see it. Especially because it feels hard to explain layered speech to people who don't use it, every time it happens :( -- 18:43, 1 October 2021 (UTC)

I don't really know anything about electronic or cryptography keys, but it seems to me that (1) their use started from the idea of two actual keys to launch nukes or something like in old movies, and (2) that is what Cueball actually installed, but put both one one Keychain making them useless, because they have to be turned simultaneously by two people ten feet apart or whatever, yes? Mathmannix (talk) 12:04, 2 October 2021 (UTC)

I really went on a bender as I transplanted the "What kinds of things can be Factors" information out of the Explanation. It's there for those who think they'd like to know more, but I also know I don't know everything (nor did I render absolutely everything I could), and yet also I'm rather chatty and prosaic and I must apologise for that. (Though, looking at the comment immediately above, darnit, I was going to also mention dual-nuclear-keys as a Two (Semi-Identical) Factor situation.) I also thought there was too much blue (or, rather, visited-link hue) if I was to Wikilink/Nonwikilink absolutely everything I could have. I invite anyone who is bothered to knock it more into shape. Or revert it back, if you feel strongly enough about it yet apathetic enough about getting trying your own version. Otherwise: Enjoy! 21:30, 2 October 2021 (UTC)

What the hell is "Proof of Work"?? Tried to figure it out from the explanation and I'm still confused. ELI5? --mezimm 14:42, 8 November 2021 (UTC)