By Will Sturgeon, 24 October 2005 17:16
Two-factor authentication? What's that?
Well that's a question more and more people are asking at the moment as they hear about their bank adopting this relatively new way of authenticating who you are.
But I know who I am...
That's good to hear. And how do you prove who you are when accessing your bank or another secure environment such as your computer on the office network?
Well I use my password.
Which is?
pA55w0rd
Exactly. The problem here is that people aren't the best at choosing or protecting their passwords. Too often they go for easily guessable names or words or something so complicated they end up having to write it down. Instead companies are now looking at solutions such as two-factor authentication which typically involves single-use multi-digit numerical codes to complement the existing security as well as the username or PIN.
Sounds even more complicated...
This is where technology comes in. Many companies developing solutions in this space are providing secure tokens little gizmos, if you like, no bigger than a key-fob which generate the random numbers for you. They're good for around as long as it take to log-in - say 60 seconds - and then they're done-and-dusted.
What are the benefits?
Single-use random numbers are far more secure than traditional static passwords (which admittedly aren't hard to beat). They work by creating a reliance upon something the user knows, such as their username, and something they have, in this case the six or seven digit number which is far more reliable than a password written on a Post-it note.
Sounds great...
And many would agree with you certainly among enterprise, small office and home users. But there are some fierce critics out there when the debate moves on to the banking industry where this is being presented as a bit of a 'silver bullet' for identity theft.
Opposition? Why so?
On one level there is a 'fear of change' which dogs any kind of new service or technology and that is perhaps the least concerning for banks and vendors. But many users also fear, perhaps with some justification, that banks will use this service to further distance themselves from liability in the event of losses.
But won't this method stop losses occurring in the first place?
That's the idea but not everybody is convinced.
Respected security guru Bruce Schneier wrote an essay on the problem which begins positively for advocates of two-factor authentication. "If your password includes a number that changes every minute then it's harder for someone else to intercept," he wrote.
However, Schneier argues that this is merely addressing a problem of at least two decades' standing and not the current issues of identity theft because "the nature of attacks has changed over those two decades".
In what way? Why won't these gizmos keep us safe?
Schneier outlines a 'man in the middle attack' which will simply see the phishers set up dummy websites to intercept single-use passcodes in the same way they used to solicit usernames and passwords. Schneier also argues that attackers will simply lurk on users' machines - accessing via a Trojan (or backdoor vulnerability) - until the user has authenticated and then 'piggyback' into a secure session with that user.
So the criminals just change tactics?
That's certainly the suggestion but it will be more difficult and they will be forced to think beyond engineering our crude passwords out of us. Even if they get hold of a single-use password, time is against them. It is worth noting as well that Schneier does point out that two-factor authentication is more secure than the good old fashion passwords we all know and love.
So it's better...
...but not perfect. Indeed, it's still early days - Lloyds TSB recently became the first UK bank to announce the rollout of two-factor authentication for retail customers. Others such as Coutts already use it for some 'high net-worth' customers but only once it's widespread in the mainstream will we know its true impact and better understand its effect on online banking and customer satisfaction.
Comments
There are 7 comments. Join the discussion
1. John Stewart
Editor - I somehow hit the send key before finishing my posting.
the final sentence should read:
They should not be seen as a 'silver bullet' but two factor authentication based on One Time Passcodes is a crucial weapon in our fight against the phishers.
2. Csaba Gabor, Ph.D.
One problem with single passwords (alluded to) is that there are so many user name / password restrictions that it is virtually impossible to remember them all. For example, some require you to have a password (PIN) of exactly four digits while others require six or more, and some require at least a numeral, but no arithmetic sequence of length three. Similarly, I have not been able to use the same account name (for example, when one company manages multiple credit cards, they enforced distinct user names on me). I can't remember these without writing them down. This is a liability - and when you have millions, a liability is the same as a cost. But the cost has been offloaded to me as I am required to take whatever steps necessary to ensure that I will be authenticated. It is not unreasonable to expect a person to remember a small amount of data such as a social security number or maybe a single password. It is unreasonable to expect a person to memorize a distinct datum (user name/password) for each entity (financial institution, online account) that person interacts with.
So what is two-factor authentication? It's a more secure password. There's more to it so it's clearly more secure (password here is used in an encompassing sense. For example, a fingerprint or retinal scan or physical item are effectively passwords). When someone tells you more is better, an important question to ask is, "How much more?" Why not three or four or many more levels? When you answer that, you will have identified the cost of extra password. I won't answer that directly, but instead leave you with a question: Just how much more are you willing to carry around?
Dr. Csaba Gabor from Vienna
3. Allan M. Huss
Two factor is simple to use -- I use it now to access my company VPN -- and that is a great benefit.
What the industry will need to do to adopt this broadly is to devise standards so that one token can suffice for multiple accounts. I don't need 20 tokens on my now 3-kilo keyring.
4. Michael O'Farrell
A Two Factor Authentication Token Matrix is available on the diversinet.com web site. It provides an overview of options available to consumers, and their service providers, for strong authentication tokens.
By leveraging a device that most online communities users already carry - a mobile phone, PDA or Flash Memory Card - consumers will not need to have to carry '20' tokens on their keychain for all their two-factor authentication needs.
Making Two-Factor Authentication simple for all parties is the best solution.
5. anonymous
The files can be ringtones, full colour wallpapers, transparent colour operator logos, startup logos or games and <a href=http://virgin-ringtone.freehostpro.com/cell-phone-ringtone.htm><b>virgin mobile ringtone</b></a> applications, depending on your phone. http://virgin-ringtone.freehostpro.com/cell-phone-ringtone.htm
6. anonymous
The payback term can range from <a href=http://fagot.questh.com><b>consolidate debt</b></a> 10 to 30 years,depending on the amount of debt being repaid andthe repayment plan you select. http://fagot.questh.com
7. anonymous
However homeowners insurance won t protect your financial interests if a matter arises regarding past ownership <a href=http://one-finance.allbreast.com/>Audi finance</a> of your property. http://one-finance.allbreast.com/