Id theft: Taking a swipe at two-factor authentication
I have just posted the comment below in response to this article
Bruce Schneier’s article http://www.schneier.com/essay-083.html implies that two-factor authentication is too out dated to be of any real use.
I believe that this is a very dangerous argument to be promoting, particularly since the existing username and password security that every service currently uses is not enough and criminals are easily compromising this fact already. In my experience the biggest hurdle is the get organisations to spend any money on any more advanced security solution.
Although second factor authentication using one-use changing passwords from a token device or from an SMS, can be compromised by some increasingly sophisticated attacks, they do stop most of the common existing ones. Key stroke loggers, standard phishing and other methods of just stealing static passwords can currently be used to passively generate databases of stolen login details. They become obsolete with the implementation of second factor authentication.
I also believe that online businesses are at the threshold of a new phase of development where the old username and password combination will be complemented with increasingly sophisticated levels of security solutions. These businesses must invest in these solutions and their customers must be given a choice over the usage of them. The penalty for choosing not to use them may be limited functionality or increased costs elsewhere.
Second factor authentication will not be the final solution for online security but it is the most mature solution for the next phase of security developments.
Friday, April 15th, 2005
