I recently read an article about numerology and found it fascinating to see the different relationships people can conceive of involving numbers. Despite not having any knowledge of the topic other then what I had read, I figured I would try my hand at some amateur numerology. It seemed to make sense that I should start with something important that would solve a real-world problem. Looking at the year 2004 and wondering why we don't widely use two-factor authentication, it become obvious to me that 2004 MUST be the year. Putting aside for the moment that during his keynote at the RSA Security conference Bill Gates held up an RSA Secure ID device and proclaimed to the audience that two-factor authentication was going to be supported in Windows, I felt there had to be something else. It became clear and simple that since the number two divides so many ways into 2004, the numerologists must be onto something.
Before I get too far into the numbers thing, I should explain what two-factor authentication is. Simply stated, it is something you have (a physical item) and something you know (a PIN or password) to prove you are who you say you are. One of the most common examples is an ATM card. The card is something you have, and the PIN is something you know. We have been using ATM cards for more than 20 years now, and they have become a part of our day-to-day staples. Widespread use did not happen overnight, but now that ATM cards have come into their own, I can't think how
MORE INFORMATION ON TWO-FACTOR AUTHENTICATION:
- SearchSecurity expert Jonathan Callas offers his insights on two-factor authentication.
- Test your knowledge of authentication methods with our WhatIs-powered quiz.
- Learn more about two-factor authentication from this Network Security Tip.
For years we have depended upon user IDs and passwords for authentication. Before the Internet, a password was a suitable method for logging into a computer. But with the great capabilities the Internet gives us, a dark side has evolved that makes the user ID and password less effective than they were years ago. We now live in a society where we have user IDs and passwords for work accounts, travel sites, e-mail, online banking, shopping and even reading the news online.
These are terrific things, but if we followed the rules that we put out for security we should have a different password (and even user ID) for everything we do online. Not only would we have our brains in overdrive remembering these passwords, but we would have to change them every 60-90 days. We are human. We need to use easy-to-remember passwords, especially when we have a number of them. Otherwise, we tend to use the same passwords for different uses and IF the password is easily guessed or compromised we are only helping identity thieves in their pursuits.
Rarely in the IT industry do you get a chance to solve many challenges with one action. The adoption of two-factor authentication would give us the ability to solve a number of security problems.
As security practitioners, we have more choices today then ever before as to what form of authentication we can implement. We have smart cards, credit cards with chips in them, USB drives, machine certificates and tokens to name a few. We could use any of these (or all if we wanted to) with a federated identity approach to authentication and be more secure, do more things and protect our digital identity and the information we use online.
Now getting back to the numbers, there may not be any correlation between the term two-factor authentication and the year 2004, but when I see the capabilities we now have with the various two-factor devices that are out there, I can't help but believe this is the year for two-factor authentication to take hold.
Like ATM cards, two-factor authentication will not take hold overnight. There are costs involved and some wrinkles to work out in distribution, but the benefits we get in the online world far outweigh the challenges. For the masses the time has come. 2004 should be the year we move forward to reduce fraud and identity theft and make the online a much safer place for all.
About the author
Howard A. Schmidt is the CISO of eBay and a former cybersecurity advisor to the White House. He serves as an advisory board member for the Technical Research Institute of the National White Collar Crime Center and is a distinguished special lecturer at the University of New Haven, Conn., teaching a graduate certificate course in forensic computing.
This was first published in March 2004