Limits of token gestures

When talking about authentication, two-factor means something you know and something you have.


When talking about authentication, two-factor means something you know and something you have.

A user name and password would be something you know, and an RSA-issued token on a key fob that generates a random number is something you have.

An additional factor might be something unique to you, such as your fingerprint or a DNA sample. Although I do not advocate providing a blood sample to enable me to log into my bank account from home, I like the idea of my bank providing me with an extra form factor and using two-factor authentication.

I therefore read with interest that the take-up of this technology is slow. No matter how complex and interesting banks make their log-in pages, with drop-down selectors asking for random passcode digits, and your father's first name, they are still flawed. If an attacker can spend long enough monitoring keystrokes and input using key-loggers, or get lucky with a phishing attempt, your account is compromised.

Sharing the blame

I have a personal view that the user should shoulder some of the blame if they are careless enough to have malware installed onto their computer or daft enough to fall for a phishing attack.

However, banks and other organisations have an obligation to protect our finances and private information, and if they are not bolting the door to your account and money as strongly as they bolt the doors of their strongrooms then they are failing in that obligation.

But two-factor authentication stops the attack dead. It does not matter how many key-loggers are recording your user name and password because unless the attacker also has that token with the random number that regenerates every two minutes, which you are carrying safely in your pocket, there is no practical way to access the account.

I do acknowledge that there are some theoretical attacks but these require a supercomputer, which the average hacker will not have access to.

So, am I advocating two-factor authentication? Well, yes and no. For corporate access to internal networks it is a clunky yet secure way to remotely connect back to the office.

For consumers it is nothing more than a publicity friendly yet tactical solution. Publicity friendly because if the firms considering token distribution did more to prevent fraudulent transactions in the first place, two-factor authentication would not even be an issue.

Prevention is better than cure

For example, if someone logs into my bank account at 2.17am from an IP address on the other side of the world, you can bet it isn't me. It is easy to identify the transaction as questionable and automatically block it.

If my credit card company can call me when I buy a book in New York for the first time then my bank can definitely see when I am making a transaction from a more exotic location.

By issuing me with a token it is a statement of "we take security seriously" but not "we have reviewed our systems and put sufficient fraudulent access detection controls in place."

It is a tactical solution because if all the banks, credit card companies, stockbrokers and insurance firms issued tokens to their customers, there would be some people carrying around a dozen tokens on their keyring. While this might be a fashion statement for some, for the vast majority of us it will be confusing and unusable.

From the business perspective it also becomes extremely expensive to manage, as customers lose and break their tokens, not least the initial cost of deployment. And what about a solution for partially sighted users? RSA does not yet do Braille tokens.

There are some systems starting to appear that may offer a single token for multiple products. This will require a high degree of co-operation between organisations and it is, in my opinion, the only way to achieve a strategic solution to online authentication.

I believe such a system is inevitable within the next few years and may be based on consumer smartcards or even ID cards.

In the meantime, consumers and business will continue to fall victim to phishing attacks and individuals will continue to have malware on their home PCs. Tactical two-factor authentication can have a role, and I will be happy to receive my token from my bank, but for the majority of customers and businesses two-factor authentication will be a new inconvenience.

Stuart King is a senior information security practitioner at the Reed Elsevier Group

Read more on IT risk management