Schneier: 'Two-factor security is not our saviour'

Moves by banks to introduce two-factor authentication will not protect the public against phishing attacks and identity theft,...

Moves by banks to introduce two-factor authentication will not protect the public against phishing attacks and identity theft, international security expert Bruce Schneier said last week.

Schneier, a security technologist, author and founder and chief technical officer of Counterpane Internet Security, said it will only be a matter of time before criminals develop countermeasures to the technology. "Two-factor authentication is not our saviour. It will not defend against phishing. It is not going to prevent identity theft. It is not going to secure online accounts from fraudulent transactions," he said.

Two-factor authentication was developed 10 years ago as a more secure replacement for passwords, which are vulnerable to cracking or interception on the internet.

Although a few banks are now beginning to issue two-factor devices such as smart tokens to their customers, new attacks have been developed which make two-factor authentication less secure.

These include man-in-the-middle attacks, in which an attacker puts up a fake bank website and entices the user to log on. When the user keys in a password, the attacker uses it to access the real bank website.

Sophisticated Trojans have also been developed which can piggyback on a customer's banking session to make fraudulent transactions.

"Two-factor authentication is not useless. It works for local log-in and it works with some corporate networks. But it will not work for remote authentication over the internet," said Schneier.

"I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this technology may well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in fraud and identity theft."

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.