I recently read an article about numerology and found it fascinating to see the different relationships people can conceive of involving numbers. Despite not having any knowledge of the topic other then what I had read, I figured I would try my hand at some amateur numerology. It seemed to make sense that I should start with something important that would solve a real-world problem. Looking at the year 2004 and wondering why we don't widely use two-factor authentication, it become obvious to me that 2004 MUST be the year. Putting aside for the moment that during his keynote at the RSA Security conference Bill Gates held up an RSA Secure ID device and proclaimed to the audience that two-factor authentication was going to be supported in Windows, I felt there had to be something else. It became clear and simple that since the number two divides so many ways into 2004, the numerologists must be onto something.
Before I get too far into the numbers thing, I should explain what two-factor authentication is. Simply stated, it is something you have (a physical item) and something you know (a PIN or password) to prove you are who you say you are. One of the most common examples is an ATM card. The card is something you have, and the PIN is something you know. We have been using ATM cards for more than 20 years now, and they have become a part of our day-to-day staples. Widespread use did not happen overnight, but now that ATM cards have come into their own, I can't think how I could function without mine. Almost anywhere in the world I can withdraw currency from a machine using a simple card and a four digit PIN, and I can do it securely.
MORE INFORMATION ON TWO-FACTOR AUTHENTICATION:
For years we have depended upon user IDs and passwords for authentication. Before the Internet, a password was a suitable method for logging into a computer. But with the great capabilities the Internet gives us, a dark side has evolved that makes the user ID and password less effective than they were years ago. We now live in a society where we have user IDs and passwords for work accounts, travel sites, e-mail, online banking, shopping and even reading the news online.
These are terrific things, but if we followed the rules that we put out for security we should have a different password (and even user ID) for everything we do online. Not only would we have our brains in overdrive remembering these passwords, but we would have to change them every 60-90 days. We are human. We need to use easy-to-remember passwords, especially when we have a number of them. Otherwise, we tend to use the same passwords for different uses and IF the password is easily guessed or compromised we are only helping identity thieves in their pursuits.
Rarely in the IT industry do you get a chance to solve many challenges with one action. The adoption of two-factor authentication would give us the ability to solve a number of security problems.
Phishing has had some success because we are still using passwords. Imagine if there were no user IDs and passwords to give away. Even with the continued use of passwords as part of two-factor authentication, without the second form of authentication, phishing is null.
ID theft would take on a new dimension. Most ID theft occurs in the physical world, but as we get better at protecting our identity in the physical world the criminals are moving to the online world. When thieves need two forms of authentication instead of just a PIN, their success rate goes down dramatically.
Consider non-repudiation and the confidence we could have in our transactions. In the U.S. and many other countries, a digital signature strengthened by two-factor authentication is considered binding.
Last, consider the relief from remembering multiple passwords, having to change them and getting them reset when we forget them (many of us do). When was the last time you changed your PIN for your ATM card?
As security practitioners, we have more choices today then ever before as to what form of authentication we can implement. We have smart cards, credit cards with chips in them, USB drives, machine certificates and tokens to name a few. We could use any of these (or all if we wanted to) with a federated identity approach to authentication and be more secure, do more things and protect our digital identity and the information we use online.
Now getting back to the numbers, there may not be any correlation between the term two-factor authentication and the year 2004, but when I see the capabilities we now have with the various two-factor devices that are out there, I can't help but believe this is the year for two-factor authentication to take hold.
Like ATM cards, two-factor authentication will not take hold overnight. There are costs involved and some wrinkles to work out in distribution, but the benefits we get in the online world far outweigh the challenges. For the masses the time has come. 2004 should be the year we move forward to reduce fraud and identity theft and make the online a much safer place for all.
About the author
Howard A. Schmidt is the CISO of eBay and a former cybersecurity advisor to the White House. He serves as an advisory board member for the Technical Research Institute of the National White Collar Crime Center and is a distinguished special lecturer at the University of New Haven, Conn., teaching a graduate certificate course in forensic computing.
