April 3, 2019

At long last, TSP administrators announced that the TSP site is about to implement two-factor authentication (2FA) for TSP participants.

The announcement was tweeted April 2nd:

You’ll soon be able to add extra security to your TSP account with two-step authentication at login. Get ready by making sure you validate your email or cell phone in My Account.

🗓 You’ll soon be able to add extra security to your TSP account with two-step authentication at login. Get ready by making sure you validate your email or cell phone in My Account. https://t.co/j6MHP5zDoc pic.twitter.com/Au2DjqX2bo

— Thrift Savings Plan (@tsp4gov) April 2, 2019

The last announcement on this came in late October last year, when several outlets reported that the agency was preparing to implement 2FA. That was almost five months ago. With the growing account balances, you would think this would’ve been one of the priority areas in terms of security years ago.

This is, in my opinion, long over-due - like you, I’ve been following this in terms of mobility and site security closely for a while now - and I was nonetheless pleased to read that it is about to happen, if belatedly.

The tweet did not give any indication when it would be implemented and available for TSP investors, even now.

My hope is that it goes beyond using SMS for the second factor, and allows for use of authentication apps such as Google Authenticator, MS Authenticator, or similar types of apps. SMS as a second factor is not as secure as we make it out to be - some say authenticator apps aren’t as secure either - they are certainly better than just using a password.

There is also the more prosaic issue of access to different factors for the truly international workforce. In some instances, a text or call to a phone number simply isn’t an option, and sometimes an app-based second factor via WiFi is the only alternative. But sometimes even that doesn’t work…!

In my opinion, I would really like to see “universal second-factor (U2F) implemented on the TSP site. This involves requiring an actual physical/electronic key in your possession as a second factor, such as a Yubikey or Google Titan. Without it, you can’t get in; best practice is to keep two or three associated with your account, so that if you lose one, or one gets damaged, you can still gain access with the second one in your possession.

Google declared in 2017 that after all of its 85,000 employees started to use the Titan, together with the company’s “advanced protection” program, no account has been successfully broken into. (The company actively tests this against its own employees, too.)

Of course, as with everything, there are some questions about that protocol as well, and other companies are seeking to mitigate those issues on their own - how can you not love free enterprise based on open markets (and open source!)?

At any rate, enabling 2FA is a good first move, thank you TSP!

Related topics: tsp-updates