Not Bad for a Cubicle on Strong Authentication

Not Bad for a Cubicle has a post on strong authentication - more blogging driven by Bruce Schneier's posts. It's well balanced and insightful.

As I see it, the core of the problem is that Identity is not actually tied to me as a person–it’s tied to data in various databases. That’s not necessarily a Bad Thing. Sure, it’s argued that Biometrics would solve that problem but I’m actually not very comfortable with that solution. The unintended consequence here becomes that if we ever actually succeed in tying Identity to its owner, then we can no longer decouple it in the situations where we’d like privacy or anonymity. Yet another example of “Security is a Trade-Off.”

I couldn't agree more here and I would argue that people will develop personas or 'nynms' or other mechanisms to keep information compartmentalized. I use my hotmail account for certain things, gmail for lists and my popmail accounts for other things.

Each authentication mechanism has costs, attacks, and risks associated with it. Passwords (something you know) can be forgotten or stolen without your knowing it, but are easily changed. Biometrics (Something you are) can be extremely difficult to forge but cannot be changed on-demand (but can change over time), fail due to injury (how do you read a fingerprint through a band-aid?) or in the worst case, cost you that finger. Number-generators and private crypto keys (something you have) raise the bar significantly for compromising account but can be lost or stolen, are difficult to support or change, and are generally not shared between different authenticating entities.

I would make a distiction here between symmetric, shared-secret systems such as SecurID which are difficult to support (and also hard to do securely in software) and asymmetric publc key cryptography like WiKID Strong Authentication where it is easy to implement and maintain and it is easy to share between authenticating entities securely.

Suggesting two-factor authentication as a cure for Identity Theft Fraud-by-Impersonation is attempting to fit a technology solution to a systemic problem, which is what I think Schneier has been trying to get at all along.

I don't think anyone is suggesting that strong authentication is the cure for all the risks out there - not even me ;). Protecting personal information with two-factor authentication would make stealing identity information harder. Using one-time passwords would solve the problem of people using the same passwords everywhere. What Scheier said though was:

Two-factor authentication is a long-overdue solution to the problem of passwords. I welcome its increasing popularity, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they'll stop advocating stronger authentication measures and the sooner security will actually improve.

I continue to be amazed at this. Isn't it clear from what he's saying: If you want to have better authentication for transactions, use strong authentication for the transactions!

If banks and credit card companies required a one-time password everytime a transaction occurred would that make it extremely difficult to process a fraudulent transaction - especially if combined with a user-friendly server validation process. An attacker would have to piggy-back on a valid session via a trojan and fool the user into entering the one-time passcode for the fraudulent transaction.

Think of it this way: How secure is the ATM Network vs. the credit card network? The ATM system is two-factor. You have to steal both the card and the PIN to get cash. With credit cards, you only have to steal the number. I wonder what the value of stolen ATM card numbers are on the black market vs. the value of a stolen credit card?