Taking a swipe at two-factor authentication

By Anne Saita, News Director 08 Apr 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

An essay in an April trade magazine maintains two-factor authentication can't counter emerging threats, and that the industry would be wise to come up with a better solution to the nation's biggest cyberproblem: identity theft.

Most readers of Bruce Schneier's popular blog on security got a sneak preview last month when he posted the essay online under the heading "The Failure of Two-Factor Authentication." It led to a strong response from those who agree the solution has limited appeal and others who argue it works well when done right.

Is two-factor authentication a failure? Click here to SoundOff and share your opinion.

"I agree with most of what he says, but I don't agree it's a failure. I think he's overstated his case," New Hampshire-based security consultant Ted Demopoulos of Demopoulos Associates, whose clients include Cisco, IBM and T Rowe Price, said in a phone interview. "Two-factor authentication, at most, can be part of the solution."

Schneier, who is traveling in the Middle East and unavailable for comment, believes using more than passwords helps mitigate fraud but won't prevent imposters from illegally accessing online accounts the way some vendors claim. "It solves the security problems we had ten years ago, not the security problems we have today," he wrote.

It solves the security problems we had ten years ago, not the security problems we have today. Bruce Schneier CTO, Counterpane

In particular, the author and CTO of managed security service provider Counterpane Inc. cites phish attacks, in which fake financial Web sites capture users' usernames and passwords, and Trojans that record keystrokes as being resistant to two-factor defenses. "In the first case, the attacker can pass the every-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in."

Instead, he said, "the real threat is fraud due to impersonation, and the tactics of impersonation will change in response to the defenses. Two-factor authentication will force criminals to modify their tactics, that's all."

While virtually everyone agrees passwords are on life support these days, there is little agreement on what second form of authentication will restore consumer confidence in e-commerce in the wake of widely publicized enterprise data thefts. Among the most often cited choices for the second form are physical backups: smart cards; biometrics; and tokens.

"Our system of username and password is too easy to compromise with monitoring software and spyware and phishing. The extra step, the ever-changing password, stops phishing cold," noted Robert Siciliano, a Boston-based identity theft expert and author of The SafetyMinute :01.

Sciliano agrees with Schneier to a point but says two-factor authentication is far from "worthless." He sees biometrics as the best option to slowing down fraud, but the technology's been badmouthed by so many that it's now a harder sell.

Related information Passwords at the breaking point All the latest news, tips and expert advice on authentication

"America needs a national ID system because the way that we identify people now is fundamentally flawed," he said. "We currently rely on pieces of paper with typed words and photos laminated in plastic…." He advocates "smarter" IDs that communicate digitally and electronically with a server, such as those embedded with chips, RFID tags or a biometric. "Nobody has the same DNA. Nobody has the same thumbprint. Biometrics digitally store and record the uniqueness of your face, eyes, ear canals, voice and fingerprints. Technology can process this information and store it on smartcards that can be used to properly identify people. And if we encrypted the information, it would be secure."

Demopoulos sees two-factor authentication gaining ground in a number of areas, but not where it probably matters most -- the home user. That's why many PC manufacturers have yet to mass produce machines with readers or scanners that would boost widespread adoption.

"There's such price competition in computer hardware that even small costs matter," he explained. "They don't want to bundle anything that isn't seen as essential. The biggest reason it's not seen as essential is because there's no groundswell of user or business support for it. The demand isn't there. It's hard to say why that is."

Moreover, phish attacks work because of clever social engineering best countered by constant user awareness campaigns, he said. "Social engineering attacks are always going to be possible, no matter what."

Tags: Biometric Technology,  Security Token and Smart Card Technology,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Biometric Technology Biometrics project studies ways to combat bank fraud Apple iPhone app could boost two-factor Vein-reading biometrics popping up in health care, financials Exploring authentication methods: How to develop secure systems Pre-boot biometric user authentication tools and strategies To what exactly would a request for biometric data from an insurance provider pertain? Keystroke recognition aids online authentication at credit union What are the possible benefits of microchip implants and RFID tags for employees? Biometrics vs. biostatistics How are biometric signatures more than a fingerprint scanner? Biometric Technology Research Security Token and Smart Card Technology Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Hackers can target embedded smart card chips What should an enterprise look for in a password token and a vendor? Are smart cards insecure if Mifare Classic RFID encryption is cracked? What are good features to look for in access control software? Secure Computing SafeWord 2008 product review

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary biometric payment  (SearchSecurity.com) electro-optical fingerprint recognition  (SearchSecurity.com) false acceptance  (SearchSecurity.com) finger vein ID  (SearchSecurity.com) fingernail storage  (SearchSecurity.com) keystroke dynamics  (SearchSecurity.com) live capture  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) password hardening  (SearchSecurity.com) ridge  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary