This response is the full answer to a user question in the Ask the Expert section. To read the full question, click here.
Two-factor authentication is good, but doesn't make it impossible
All factors have problems with them. Here are some overviews:
* Any "something you know" credential is attackable from brute force. Passwords and passphrases can be guessed. Often, we're saddled with so many of them that we duplicate them, reuse them. Often they're stored in a plain-text database and mailed back to us in plaintext. Attempts to make them more secure often have other adverse consequences. I once signed up for a service, whose name I won't mention, that had excellent security policy around their passwords. It was so good that when I inevitably forgot mine, their support could not help me.
* Any "something you have" credential is basically a key. I think that objects are perhaps the best credentials there are. Nearly all of the security that I do on a day-to-day basis is a single factor with some sort of key. My house, my car, my garage, and my office are all single-factor based on some simple object -- and all but one is on a single keychain. On the other hand, at least with an object, you know when you've lost it a lot quicker than you would with something you know.
Alas, when this gets to a network, it becomes less secure. Some very nice network systems are at their core just a simple key with some electronics and software. Many tokens are implicitly themselves two factor, because you have to use a PIN or password with the token itself.
Reliability, meaning loss and compromise, are harder to work into a system that uses objects. If someone loses their object or it just stops working, you have to get them a new one.
* Any "something you are" credential seems to be the best, but they're frequently the worst. Unlike the others above, they're probabilistic. This means that an attacker only has to get close. The loss scenarios are difficult -- we all leave fingerprints on everything we touch. There has recently been a flurry of papers on beating biometric systems, and the breaks are often embarrassing to the manufacturer. This is particularly in the area where they're most useful, the economic low end. Biometrics fall down most when put on a network (because the attacker might be able to slightly modify a snooped transaction) and when the reliability aspects factor in. It's trivial to get someone a new password. It's only a little annoying to get them a new token. It's hard to know what to do if someone's fingerprint has been compromised. When the day comes a database of customer information including biometric information is lost, stolen, sold by an employee or just had something odd happen to it, expect the lawsuits to fly.
Getting back to the core of your question -- is two-factor authentication more secure than one-factor? Yes. A smart card and a PIN is more secure than either alone. Is it more reliable than one-factor?
Maybe, maybe not. It depends on how you set it up. Does it have less risk? No. It has different risk. The risk of an intrusion is lower. The reliability risks are probably higher, but how you work with those differs, say, with employees than customers. Other risks are almost certainly higher. If one of your employees sells your databases to outsiders, the more you have in the database, the worse it is for you.
If your customer list is sold, that's bad. If that list included passwords, that's worse. If it included credit card information, that's also very bad. If that list included smart card secrets or biometric data, then you're in a whole lot of trouble.
This is why security decisions can't be made in a vacuum. You didn't tell me what your problem is or even what your goal is. Do you want employees to badge in and type a PIN as they enter the building? Do you want your customers to have something other than their dog's name confirming a purchase? These are different situations entirely. Hackers are only one thing to worry about. Hackers also do more than just steal user credentials.
This was first published in July 2004