Well, the real answer is a couple of questions: What problem are you trying to solve? What threat are you trying to avoid?
Two-factor authentication is better than one-factor, I suppose. Every time I get money from an ATM, it uses two-factor authentication. On the other hand, every time I start my car or unlock my house I'm using one-factor authentication, and none of us suggest that's not good enough.
I mention this because there's a tendency to think that because two is a larger number than one, anything that has two of something is better than something that has one of them. In security, however, there's a principle that every security measure is a denial of service in disguise. If you move from plain passwords to passwords plus tokens of some sort, then you have created a more secure environment, but one in which it's easy to keep people from doing their jobs. What happens if they leave the token at home, the token just stops working, someone from another site works in your building and so on.
And that brings us back to the question of what problem you're trying to solve. Only you can answer why you need two-factor authentication and what you want that other factor to be.
There's also a bit of a gray area on what counts as a factor. Some things are easy. A password counts as a factor. A smart card is obviously a factor that's different than a password. Others aren't so clear. Is a certificate another factor? I'm fortunate enough to have an office with a door; is that lock another factor?
The Phoenix system seems to me to fall smack into that sort of a gray area. Whatever they're doing is turning your system into something like a token. You can't authenticate from another machine.
This is neat, but there's a very real sense in which my machine is either a really nifty factor or not a factor at all. For example, suppose an attacker knows my password and walks into my office when I'm out at lunch. Well, knowing my password can unlock my machine no matter what, and this doesn't add anything. On the other hand, they can't come in on the VPN that way. It also makes a certain amount of sense with a laptop.
Now -- you're asking my opinion about this, presumably because you're thinking about buying it. Unfortunately, I don't have information about what you want to do. I don't know what problem you're trying to solve. If you want to buy it and you need some good reasons for why you should -- well, I can give it to you. If, on the other hand, you don't want to buy this and you need ammunition to shoot it down, I could do that, too.
If you're going to put this on laptops, home machines or other mobile systems as a remote authentication system, I think it's pretty cool. You're getting most of the benefit of a two-factor system, while making the second factor the actual device that's connecting. It will keep out random people trying to connect to your network with little pain to your users.
If, however, you're wanting to put this on static systems in people's offices, then well, I don't think it adds all that much. Yeah, it will solve people from plugging unauthorized systems into your network, but how often does that happen? (Maybe a lot, maybe not at all, only you can answer that.) One of the costs of the system, however, will be a loss of convenience. If I can't go into your office and say, "Here, let me show you something" then we're losing a small but valuable part of a distributed network. Me, I'd optimize for convenience, but I don't know your requirements.
This was first published in January 2003