Dustin Decker

Two-Person Integrity

The two-person rule is a control mechanism designed to achieve a high level of security for especially critical material or operations. Under this rule, access and actions require the presence of two or more authorized people at all times.

My first experience with TPI was as a Quartermaster in the United States Navy in the 90’s. The Figure of Merit (FOM) in the context of GPS (Global Positioning System) refers to a metric that assesses the accuracy and reliability of navigation solutions. These systems are extremely accurate. The highest FOM is a “1” which indicates the “fix” is accurate within mere inches. The information required to achieve this level of accuracy depends on cryptography, which consumer GPS units lack.

Once in a while our division chief would step onto the bridge, power off our military-grade GPS unit, and ask the quartermaster of the watch, “Where are we?” A flurry of activity would follow: Perhaps shooting a sun line with a sextant, then applying a stack of books and interpolation tables and math and adding a circle on the chart. “We’re inside this one-mile circle”. Not bad for thirty minutes of work.

Our chief would power the GPS unit back on and then a member of the watch would need to visit the radio room and escort a radioman with the computer tape containing the cryptography for the GPS unit to the bridge and back, ensuring that at no time was that information in the possession of a sole individual. If you’re familiar with John Walker and his “family of spies”, you’ll understand why this is so important.

How can TPI be useful to you and I? A married couple recently shared their somewhat accidental implementation with me. Bob and Alice have a shared online account, and when Alice signed up for access, she didn’t have her cell phone with her. She provided Bob’s cell phone number to receive authentication codes for the service, perhaps intending to update the phone number in the future.

Bob and Alice have opted to leave things as is. Alice has the authentication information to access the account stored in her local password manager which requires biometric authentication to access. Bob does not have access to the authentication information but receives the verification code required during logon on his cell phone. Effectively, Bob and Alice need to be together to log on. This may be in the same room, or across the globe on a phone or video call.

This “process based security” substantially reduces the risk of a third-party successfully accessing their account.

Is this implementation perfect? Certainly not.

Some of the risks associated with this posture include:

  • Cellular network messages can often be intercepted by third parties.
  • Alice can use Bobs’ cell phone to receive the authentication code while Bob is in the shower.
  • Bob can in all likelihood leverage his access to the password recovery function via his cell phone.