An essay in an April trade magazine maintains two-factor authentication can't counter emerging threats, and that the industry would be wise to come up with a better solution to the nation's biggest cyberproblem: identity theft.
Most readers of Bruce Schneier's popular blog on security got a sneak preview last month when he posted the essay online under the heading "The Failure of Two-Factor Authentication." It led to a strong response from those who agree the solution has limited appeal and others who argue it works well when done right.
"I agree with most of what he says, but I don't agree it's a failure. I think he's overstated his case," New Hampshire-based security consultant Ted Demopoulos of Demopoulos Associates, whose clients include Cisco, IBM and T Rowe Price, said in a phone interview. "Two-factor authentication, at most, can be part of the solution."
Schneier, who is traveling in the Middle East and unavailable for comment, believes using more than passwords helps mitigate fraud but won't prevent imposters from illegally accessing online accounts the way some vendors claim. "It solves the security problems we had ten years ago, not the security problems we have today," he wrote.
In particular, the author and CTO of managed security service provider Counterpane Inc. cites phish attacks, in which fake financial Web sites capture users' usernames and passwords, and Trojans that record keystrokes as being resistant to two-factor defenses. "In the first case, the attacker can pass the every-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in."
Instead, he said, "the real threat is fraud due to impersonation, and the tactics of impersonation will change in response to the defenses. Two-factor authentication will force criminals to modify their tactics, that's all."
While virtually everyone agrees passwords are on life support these days, there is little agreement on what second form of authentication will restore consumer confidence in e-commerce in the wake of widely publicized enterprise data thefts. Among the most often cited choices for the second form are physical backups: smart cards; biometrics; and tokens.
"Our system of username and password is too easy to compromise with monitoring software and spyware and phishing. The extra step, the ever-changing password, stops phishing cold," noted Robert Siciliano, a Boston-based identity theft expert and author of The SafetyMinute :01.
Sciliano agrees with Schneier to a point but says two-factor authentication is far from "worthless." He sees biometrics as the best option to slowing down fraud, but the technology's been badmouthed by so many that it's now a harder sell.
"America needs a national ID system because the way that we identify people now is fundamentally flawed," he said. "We currently rely on pieces of paper with typed words and photos laminated in plastic…." He advocates "smarter" IDs that communicate digitally and electronically with a server, such as those embedded with chips, RFID tags or a biometric. "Nobody has the same DNA. Nobody has the same thumbprint. Biometrics digitally store and record the uniqueness of your face, eyes, ear canals, voice and fingerprints. Technology can process this information and store it on smartcards that can be used to properly identify people. And if we encrypted the information, it would be secure."
Demopoulos sees two-factor authentication gaining ground in a number of areas, but not where it probably matters most -- the home user. That's why many PC manufacturers have yet to mass produce machines with readers or scanners that would boost widespread adoption.
"There's such price competition in computer hardware that even small costs matter," he explained. "They don't want to bundle anything that isn't seen as essential. The biggest reason it's not seen as essential is because there's no groundswell of user or business support for it. The demand isn't there. It's hard to say why that is."
Moreover, phish attacks work because of clever social engineering best countered by constant user awareness campaigns, he said. "Social engineering attacks are always going to be possible, no matter what."