The NON Failure of Two-Factor Authentication
Bruce Schneier's post from a few days ago is still being talked about and causing controversy.
I usually agree with Bruce - he's usually right! He makes several valid points in The Failure of Two-Factor Authentication but overstates his case.
"Two-factor authentication isn't our savior." That's absolutely true. In security, there are no saviors! Security is a process and technology is only part of the solution.
Two factor authentication means requiring two separate things to establish your identity, for example a smart card and a password. We all know passwords alone don't work as well as they should: users pick easily guessed passwords like their dog's name, write down their passwords on little sticky pieces of paper stuck to their computer monitor, etc.
Bruce states that: "It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions."
Very true. It also won't protect you from muggers. Or car jackers. Or unscrupulous used car salesmen. Or spam. Or your mother from making you feel guilty.
There are no silver bullets in security.
If two factor authentication is worthless, then let's all throw away our ATM cards and use a username/password combo instead. Of course that would be ludicrous! Someone "shoulder surfing" could watch us type into the ATM machine and then effortlessly steal our money.
Requiring two factor authentication for ATM machines, the card AND a password/PIN, certainly increases security!
There is a great article here by Anne Saita on Bruce Schneier's post.
I think Bruce wanted to start some lively debate - he succeeded!
I usually agree with Bruce - he's usually right! He makes several valid points in The Failure of Two-Factor Authentication but overstates his case.
"Two-factor authentication isn't our savior." That's absolutely true. In security, there are no saviors! Security is a process and technology is only part of the solution.
Two factor authentication means requiring two separate things to establish your identity, for example a smart card and a password. We all know passwords alone don't work as well as they should: users pick easily guessed passwords like their dog's name, write down their passwords on little sticky pieces of paper stuck to their computer monitor, etc.
Bruce states that: "It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions."
Very true. It also won't protect you from muggers. Or car jackers. Or unscrupulous used car salesmen. Or spam. Or your mother from making you feel guilty.
There are no silver bullets in security.
If two factor authentication is worthless, then let's all throw away our ATM cards and use a username/password combo instead. Of course that would be ludicrous! Someone "shoulder surfing" could watch us type into the ATM machine and then effortlessly steal our money.
Requiring two factor authentication for ATM machines, the card AND a password/PIN, certainly increases security!
There is a great article here by Anne Saita on Bruce Schneier's post.
I think Bruce wanted to start some lively debate - he succeeded!
posted by Ted Demopoulos at 2:25 PM
Comments on "The NON Failure of Two-Factor Authentication"
-
Alfred Thompson said ... (Friday, April 08, 2005 7:30:00 PM) :
post a commentSchneier's points are well taken but I don't think that they are a reason not to adopt some level of two-factor authentication. We have to attach these issues from multiple paths. Just because a method can't solve all the problems doesn't remove all value. For example we know that a lot of the worst security breaches are inside jobs, people we trust being untrustworthy. I doubt that Schneier would suggest that as a reason to avoid using outside security companies such as the one he runs.