You know two-factor authentication tokens, the ephemeral, six-digit numbers you use as a second layer of security when logging into, say, your email? Those constantly updating, randomly generated numbers are one of the easiest ways to protect your accounts from being hacked. But for some time now, I've harbored a pet conspiracy theory about those codes: Maybe they aren't as random as we're led to believe.
It began with an observation: My codes often seem to include elements that make them easier to remember. Elements like single-digit repeats (111 293; 134 441); multi-digit repeats (112 222); palindromes (353 595); ascending or descending sequences (345 564); repeating number order (618 514); and combinations thereof (876 565). Occasionally I'll get lemons, like 031 472 or 253 741, which are less appealing in an (admittedly vague) aesthetic sense and more difficult to remember. But more often than not, the passcodes that appear in my Google Authenticator app seem tailored to reduce the cognitive burden of storing them in my working memory, the short-term storage bin our brains use to stash information for a few precious seconds before forgetting it forever.
I'm not the only one who's had this sense about 2FA codes. When I mentioned it to my editor, her eyes lit up in recognition. Andy Greenberg, WIRED's senior security writer, told me the thought had crossed his mind. And when I asked cognitive psychologist Marisca Milikowski, an expert in people's knowledge of numbers, she said she'd noticed it too.
"Many of these numbers, they're really nice," she says to me while discussing the above examples, all of which recently showed up in my Authenticator app. "I mean, look at 876 565. When you get 876, it's like you only have one thing to remember. And when there's 565 behind it, well, that's a lovely pattern, too."
As it turns out, there's evidence that subjective qualities like loveliness are correlated with a number's memorability. In the 1990s, Milikowski conducted several studies on what makes numbers more or less easy to remember. In one, she found that, for numbers between one and 100, single digit numbers, teen numbers (12-19), doubled numbers (11, 22, …, 99), and large tabled numbers (numbers that appear in multiplication tables, e.g. 49, 27, 36) made a more indelible impression on test subjects than the remaining, "Other" numbers, like, say, 37.
In another experiment, she had test subjects rate each number between 1 and 100 on a variety of scales, including a good-bad spectrum. The 12 top-rated numbers, in order of goodness, were 10, 100, 36, 8, 24, 66, 16, 4, 1, 88, 21, and 12. The 12 lowest-rated numbers were 37, 93, 41, 51, 39, 17, 13, 59, 29, 43, 53, and 67. Notably, all of the good numbers belonged to a privileged, more memorable category, all the bad numbers to the less memorable Other category. In a follow-up study, Milikowski found that, in a short-term memory task, test subjects were not only more likely to correctly recall all the numbers from the good list than the bad list; they were also far more inclined to misremember numbers from the "bad" list, recalling different Other answers like 63, 19, 83, and 79. That's precisely the kind of mistake you want to avoid making when reproducing a 2FA passcode.
Milikowski never studied 6-digit numbers, but at the end of our conversation, she hypothesizes that, deliberately or no, 2FA codes do include elements that improve their memorability. The big one, she says, is repetition: "Even when the passcode contains what I call 'bad' numbers, it is, I think, saved by the patterns."
Let's pause, now, to address the obvious flaws in my theory. It's totally possible these mnemonics aren't by design. Humans excel at finding patterns in randomness. What's more, our intuitive sense of what randomness ought to look like makes us bad at anticipating, identifying, and accepting what randomness actually looks like. When Apple first launched the shuffle feature, the truly random playlists it produced often grouped multiple songs from the same artist. When users complained, Apple amended the feature to intentionally avoid these (truly random!) cluster effects. As Steve Jobs said at the time: "We’re making it less random to make it feel more random."
Or consider a series of quarter tosses: Most people are less likely to predict a sequence of five heads than they are something like THTHT—even though each of the 32 possible outcomes of flipping a coin five times has the same probability of occuring: 1/32.
Trust me: I get all that. And nominally, I agree: Some sort of cognitive bias seems like a way more plausible explanation for my memorable passcodes.
And yet! Security engineers would have some legitimate incentives to generate more memorable passcodes. At January's Enigma security conference, Google security engineer Grzegorz Milka revealed that fewer than 10 percent of active Google users avail themselves of 2FA. The main reason, according to him? It's inconvenient. So it stands to reason that memorable passcodes would beget a more seamless user experience.
And, in fact, user experience is why browser extensions like Authy let users access 2FA tokens directly from their computers, without having to copy and paste them, or memorize them on one device before re-entering them on another. Authentication services on smartphones smooth the copy/paste and memorize/recall speed bumps in other ways: Google's Authenticator app allows users to copy their 2FA codes with a quick tap instead of the typical long-press. It also divides six-digit codes into two, three-digit groups.
Psychologists call this last approach chunking, and it's a powerful technique for improving memory and retrieval (a classic practical example is the way we partition telephone numbers); presenting information in chunks significantly increases a person's odds of recalling it.
All of which is to say: Security engineers do think about the 2FA experience and how they might reduce the cognitive load on a user's working memory. Is it really so crazy to suspect that authenticators might also be designed to generate memorable passcodes?
Crazy? No. Buuuuut it's definitely wrong.
"No, these sequences are not designed to be intentionally memorable," says Google software engineer Diana Smetters, an expert in computer security and applied cryptography with a deep background in authentication systems. Google Authenticator generates codes using the Time-Based One Time Password Algorithm. And because TOTP is an open standard, most other 2FA generators do, as well. "The nice thing about being a standard is everybody agrees how the dance goes," Smetters says.
And that dance is random. Or rather, pseudorandom; the TOTP algorithm produces a series of numbers whose qualities approximate those of a series of truly random numbers. Which means that, like a bunch of quarter flips, or a randomly shuffled playlist, the resulting sequence often contains patterns that defy our expectations of randomness. For other forms of authentication, the company avoids using the numeral "0" and the capital letter "O," which users often confuse. "But we don't do that to make passcodes more memorable," she says, "we do it so they're harder to get wrong."
That said, Google does omit some codes. The 2FA tokens that the company sends via text message are also randomly generated, but exclude numbers that people might find confusing, awkward, or unlucky. For instance, Google scrubs any tokens that resemble the short-code phone numbers they use to send the passcodes over SMS.
So technically speaking, Google could omit certain hard-to-remember sequences. But it's probably not a great idea. "You can’t take out too many things because you want the full space of possible values for entropy," Smetters says. In essence, your algorithm would produce fewer codes; generally speaking, the fewer codes your algorithm produces, the easier it is to crack. Plus, she says, many patterns are probably memorable to people for different reasons.
Which seems to me like the ultimate takeaway: Google doesn't need to engineer mnemonics into its 2FA codes. Our brains are good enough at finding the patterns on their own.
- To step up your two-factor, check out Google's Advanced Protection, the most secure account you can find
- If you're someone who's sensitive to potential snooping, stop using texts for two-factor
- For a physical two-factor, try a YubiKey, but remember they're not infallible; a recent Google update to Chrome exposed them to a hypothetical attack (although that was on Google)
