‹ Jack's Brain

How Interesting is Your MFA?

May 11, 2019

If you’re like me (and, in this regard, if you’re not then you should be), you use Google Authenticator or a similar application to generate Multiple Factor Authentication tokens — six digit codes that add an extra step of identity verification to sites you log into. These codes rotate every thirty seconds and must match the one the server is expecting (kinda like nuclear launch codes, but to log into Twitter/Google/banking/etc.).

Click to enlarge image

My Authenticator app (site names censored)

If you’re also like me (and, in this regard, if you’re not you should count yourself lucky), you also get bugged by “interesting” numbers. Now, I trust these numbers to be mostly random (that is, hard to guess; their generation is guided by an equation my phone and the server share), but I get a funny feeling when my code is something I notice a pattern in — say, “003 400” or “145 541”.

Since our brains are primed to notice things with patterns, and are also tend to remember more interesting events than less interesting events, it sure feels like this happens a lot.

Surely it couldn’t be that often though… So I wrote a program to analyze all possible six digit, left-zero-padded integers and see how interesting they were on the aggregate. A number is interesting (in my subjective judgement) if it takes one or more of these patterns:

  • Palindrome (e.g. 476 674)
  • Alternating (e.g. 126292)
  • First half is same as second half (e.g. 391 391)
  • Three, four, five, or six numbers repeat (e.g. 177790, 333378, 444449, 222222)
  • Digit 2 = digit 3 and digit 5 = digit 6 (e.g. 122499)
  • Digit 1 = digit 2 and digit 4 = digit 5 (e.g. 339221)
  • Sequential run up or down (e.g. 234567, 876543)
  • Sequence of doubles (e.g. 227788)
  • Bookending doubles (e.g. 331922)
  • Repeating halves interrupted by the same number (e.g. 323 929, 454 656)
  • First or second half is a sequential run up or down (e.g. 123 957, 140 987)
  • First and second half are anagrams (e.g. 142 214)

I’m bored in a hotel room tonight, so I hacked together a quick and dirty program to tell me just how likely I am to bump into one of these numbers (script here).

Turns out I have a 9.76% chance of bumping into an interesting number, assuming evenly distributed odds over all numbers! Generously assuming I use ten of these codes a week, and adding another five or six “times” that the number is so close to expiring that I can read it, but need to wait for a new one to have time to type it, I can expect to bump into around one or two of these each week — a “coincidence” that starts to feel pretty habitual.

So, are MFA tokens random? Yes, definitely. However, you’re apt to get a code your brain thinks isn’t about one in every ten codes.<figure