Sections

Personal tools

You are here: Home → wikidblog → Schneier clarifies his stance on two-factor authentication

Recent entries: Redhat & Fedora hacked admin Aug 25, 2008; Two-factor for the cloud admin Aug 15, 2008; Debunking "Two-Factor Authentication Debunked by TSB Phish" admin Jul 02, 2008; New Howtoforge article - Postgresql admin Jul 02, 2008; World of Warcraft gets two-factor authentication - your bank won't follow admin Jul 01, 2008

Recent comments: Re:Security and Oil admin Apr 25, 2008; Re:Security and Oil Paul feet Apr 24, 2008; Re:100% open source admin Apr 22, 2008; Re:100% open source Adam Apr 22, 2008; Re:Capital Gains Tax Rates and Entrepreneurs Lance Oct 23, 2007

2005/04/12

Schneier clarifies his stance on two-factor authentication

Bruce Schneier posted a clarification on his stance regarding two-factor authentication today.

Two-factor authentication is a long-overdue solution to the problem of passwords. I welcome its increasing popularity, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they'll stop advocating stronger authentication measures and the sooner security will actually improve.

Again, he's missing a couple of points.

First, it is simple to use strong authentication to authenticate transactions as well as sessions.

Second, some strong authentication systems, such as our strong authentication system can combat the "non-authentication" attacks Schneier describes. For example, the WiKID two-factor client will not generate a valid passcode if the DNS system is poisoned. We are working on extending WiKID in other ways as well.