] Two-factor authentication isn't our savior. It won't
] defend against phishing. It's not going to prevent
] identity theft. It's not going to secure online accounts
] from fraudulent transactions. It solves the security
] problems we had ten years ago, not the security problems
] we have today.

Schneier has been getting a lot of attention out of this short essay. I don't agree with him. While I seriously doubt Microsoft is really "dropping passwords" from Longhorn, you are going to see two factor authentication systems, likely involving cellphones, get deployed for certain kinds of internet based financial transactions. Its being playtested in Europe instead of here, because they have better cellphone penetration, but its coming.

Schneier is right when he points out that two-factor auth doesn't solve the problem with MiTM. I'd also point out that pencils do not enable space travel. That doesn't make them useless. Two factor auth solves the problem of offline credential stealing (in theory). Offline credential stealing is a real problem, and the only way to solve it is with two factor auth. Even if you solve the MiTM problem, you still need to solve the offline credential stealing problem, and you are going to solve that problem with two factor auth. You'll eventually need to get two factor auth, one way or the other. I hope its not a biometric, because biometrics are crap for totally unrelated reasons.

The way you address the MiTM problem is with better UI design. The banks and other groups who have an interest in computer security need to pay to get people on the Firefox team to really explore stronger methods of indicating certificate status to end users. The way we do this is really bad. Hell, Safari doesn't even let you pull up certificate details!!! Developers seem to make these security messages either annoying or invisible. It is possible to make them attention grabbing and informative while also not requiring user interaction. Its just a matter of getting it done.

As for Schneier's trojan idea, it sounds neat in theory but in practice I don't think its ever been done. There are lots of ways to make it hard. A way to tell browsers never to write a particular cookie to disk is a good start. Another is to log the user out upon cookie replay.

Another thing I'd like to see is a standard for HTTP transactions that supports authentication but not encryption. The reason is that encryption is too expensive for many websites to scale. Auth only could happen more cheaply, and that might spur more people to use it and become familiar with it. Authentication is more important then encryption for most threat models in modern networks. We're not worried about the FBI stealing your credit card number.