Just How Random Are Two Factor Authentication Codes?
You know two-factor authentication tokens, the ephemeral, six-digit numbers you use as a second layer of security when logging into, say, your email? Those constantly updating, randomly generated numbers are one of the easiest ways to protect your accounts from being hacked. But for some time now, I've harbored a pet conspiracy theory about those codes: Maybe they aren't as random as we're led to believe.
It began with an observation: My codes often seem to include elements that make them easier to remember. Elements like single-digit repeats (111 293; 134 441); multi-digit repeats (112 222); palindromes (353 595); ascending or descending sequences (345 564); repeating number order (618 514); and combinations thereof (876 565). Occasionally I'll get lemons, like 031 472 or 253 741, which are less appealing in an (admittedly vague) aesthetic sense and more difficult to remember. But more often than not, the passcodes that appear in my Google Authenticator app seem tailored to reduce the cognitive burden of storing them in my working memory, the short-term storage bin our brains use to stash information for a few precious seconds before forgetting it forever.