2FA: Why not use dictionary phrases instead of numbers?

Yes you are increasing entropy but you are decreasing usability.

Firstly you need to get a good dictionary. Things you need to think about are accessibility (how readable is it? Are there b,d or q,p or cl,d or I,l confusions? You can't have click and dick in the dictionary) Are the words easy to spell from memory? I can't spell 2/4 of the words you used and I have a BSc. You can't have any that are too technical or culturally insensitive (e.g. Taiwan )

Secondly you say about mobile keyboard with autocorrect. Autocorrect goes wrong, you need to check every word in your dictionary will be in them for a long time (if bananas go extinct tomorrow will the word still be in an autocorrect in 30 years?) and you are making it harder for those with full size hard keyboards

Thirdly you are cutting out everyone who doesn't speak the language, numbers work across all languages. There are very few other number systems used outside the 123 numbers.

Fourth how are you going to display them? A 6 digit number can be on a 6 digit 7 segment display, 4 words need at lest a 20 digit complex display or better. "But they can be on a phone" I hear you say, but there are places you can't have a phone because there are no wireless devices allowed (its hell on earth, never work in a place like this) and that would fragment the market to those with mobile devices and those without which leads into

Lastly it would fragment the market. For tech like this fragmentation is bad, we trust it because it has been tested lots and lots. Unless the old thing is broken or the new thing is 1,000,000% better than the original it will never take route. As it is we still have broken encryption methods now because they might brake something worse if removed and banks that still use something you know and something you know (2 passwords)

The improvement they could make to 2fa devices is to be able to set how long the code is on the screen upto 60 seconds max (10 seconds per number for accessibility reasons) and have the box you type it into tagged as a number box so that soft keyboards show either the number row or better a number pad.


To add to @topher-brink awnser.

2fa are used in more situations than human - machine communications. there are implementations of using a 2fa in some hardware devices (they use something like he u2f dongles).

These devices can not work with strings of characters (and in what encoding scheme they might be) but for numbers there are no such problems.

As a usecase for such a system think of a medical device that needs to communicate with a service but also ensure intent and confidentiality. (so it uses a Client-side certificate and a 2fa mechanism) The device can present the client with an accept decline dialog but not with a number or textual string for its 2fa.

Tags:

Multi Factor