When talking about authentication, two-factor means
something you know and something you have.
A user name and password would be something you know, and an
RSA-issued token on a key fob that generates a random number is
something you have.
An additional factor might be something unique to you, such as
your fingerprint or a DNA sample. Although I do not advocate
providing a blood sample to enable me to log into my bank account
from home, I like the idea of my bank providing me with an extra
form factor and using two-factor authentication.
I therefore read with interest that the take-up of this
technology is slow. No matter how complex and interesting banks
make their log-in pages, with drop-down selectors asking for random
passcode digits, and your father's first name, they are still
flawed. If an attacker can spend long enough monitoring keystrokes
and input using key-loggers, or get lucky with a phishing attempt,
your account is compromised.
Sharing the blame
I have a personal view that the user should shoulder some of the
blame if they are careless enough to have malware installed onto
their computer or daft enough to fall for a phishing attack.
However, banks and other organisations have an obligation to
protect our finances and private information, and if they are not
bolting the door to your account and money as strongly as they bolt
the doors of their strongrooms then they are failing in that
obligation.
But two-factor authentication stops the attack dead. It does not
matter how many key-loggers are recording your user name and
password because unless the attacker also has that token with the
random number that regenerates every two minutes, which you are
carrying safely in your pocket, there is no practical way to access
the account.
I do acknowledge that there are some theoretical attacks but
these require a supercomputer, which the average hacker will not
have access to.
So, am I advocating two-factor authentication? Well, yes and no.
For corporate access to internal networks it is a clunky yet secure
way to remotely connect back to the office.
For consumers it is nothing more than a publicity friendly yet
tactical solution. Publicity friendly because if the firms
considering token distribution did more to prevent fraudulent
transactions in the first place, two-factor authentication would
not even be an issue.
Prevention is better than cure
For example, if someone logs into my bank account at 2.17am from
an IP address on the other side of the world, you can bet it isn't
me. It is easy to identify the transaction as questionable and
automatically block it.
If my credit card company can call me when I buy a book in New
York for the first time then my bank can definitely see when I am
making a transaction from a more exotic location.
By issuing me with a token it is a statement of "we take
security seriously" but not "we have reviewed our systems and put
sufficient fraudulent access detection controls in place."
It is a tactical solution because if all the banks, credit card
companies, stockbrokers and insurance firms issued tokens to their
customers, there would be some people carrying around a dozen
tokens on their keyring. While this might be a fashion statement
for some, for the vast majority of us it will be confusing and
unusable.
From the business perspective it also becomes extremely
expensive to manage, as customers lose and break their tokens, not
least the initial cost of deployment. And what about a solution for
partially sighted users? RSA does not yet do Braille tokens.
There are some systems starting to appear that may offer a
single token for multiple products. This will require a high degree
of co-operation between organisations and it is, in my opinion, the
only way to achieve a strategic solution to online
authentication.
I believe such a system is inevitable within the next few years
and may be based on consumer smartcards or even ID cards.
In the meantime, consumers and business will continue to fall
victim to phishing attacks and individuals will continue to have
malware on their home PCs. Tactical two-factor authentication can
have a role, and I will be happy to receive my token from my bank,
but for the majority of customers and businesses two-factor
authentication will be a new inconvenience.
Stuart King is a senior information security practitioner at
the Reed Elsevier Group