Create an Account
username: password:
 
  MemeStreams Logo

Schneier on Security: The Failure of Two-Factor Authentication

search

Decius
Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
   Sci-Fi/Fantasy Films
  Music
   Electronic Music
Business
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Management
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Parenting
Miscellaneous
  Humor
  MemeStreams
Current Events
  War on Terrorism
Recreation
  Cars and Trucks
  Travel
Local Information
  United States
   SF Bay Area
    SF Bay Area News
Science
  Biology
  History
  Math
  Nano Tech
  Physics
Society
  Economics
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
Sports
Technology
  Computer Security
  Macintosh
  Spam
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Schneier on Security: The Failure of Two-Factor Authentication
Topic: Computer Security 5:35 pm EST, Mar 16, 2005

] Two-factor authentication isn't our savior. It won't
] defend against phishing. It's not going to prevent
] identity theft. It's not going to secure online accounts
] from fraudulent transactions. It solves the security
] problems we had ten years ago, not the security problems
] we have today.

Schneier has been getting a lot of attention out of this short essay. I don't agree with him. While I seriously doubt Microsoft is really "dropping passwords" from Longhorn, you are going to see two factor authentication systems, likely involving cellphones, get deployed for certain kinds of internet based financial transactions. Its being playtested in Europe instead of here, because they have better cellphone penetration, but its coming.

Schneier is right when he points out that two-factor auth doesn't solve the problem with MiTM. I'd also point out that pencils do not enable space travel. That doesn't make them useless. Two factor auth solves the problem of offline credential stealing (in theory). Offline credential stealing is a real problem, and the only way to solve it is with two factor auth. Even if you solve the MiTM problem, you still need to solve the offline credential stealing problem, and you are going to solve that problem with two factor auth. You'll eventually need to get two factor auth, one way or the other. I hope its not a biometric, because biometrics are crap for totally unrelated reasons.

The way you address the MiTM problem is with better UI design. The banks and other groups who have an interest in computer security need to pay to get people on the Firefox team to really explore stronger methods of indicating certificate status to end users. The way we do this is really bad. Hell, Safari doesn't even let you pull up certificate details!!! Developers seem to make these security messages either annoying or invisible. It is possible to make them attention grabbing and informative while also not requiring user interaction. Its just a matter of getting it done.

As for Schneier's trojan idea, it sounds neat in theory but in practice I don't think its ever been done. There are lots of ways to make it hard. A way to tell browsers never to write a particular cookie to disk is a good start. Another is to log the user out upon cookie replay.

Another thing I'd like to see is a standard for HTTP transactions that supports authentication but not encryption. The reason is that encryption is too expensive for many websites to scale. Auth only could happen more cheaply, and that might spur more people to use it and become familiar with it. Authentication is more important then encryption for most threat models in modern networks. We're not worried about the FBI stealing your credit card number.

Schneier on Security: The Failure of Two-Factor Authentication



 
 
Powered By Industrial Memetics
RSS2.0