2005/10/26
Short-sighted critiques of two-factor authentication
There are two things to keep in mind when discussing two-factor authentication:
First, it is possible to use any one-time password system to authenticate transactions!. All you have to do is ask for an additional one-time passcode before you process the transaction. This is incredibly simple and would stop a good number of MITM attacks.
Second, don't think that all one-time password systems operate in an enclosed hardware case and will never be capable of cryptographically secure mutual authentication.
Cryptographers seem to think that if a solution fails one time it isn't worth using even though it stops 9 other attacks. You don't need to wipe out online fraud. What you need to do is maintain minimize the risks to an acceptable level and maintain the public's faith in the banking industry. If people start putting their money under their mattresses again, we're in for a big recession.
First, it is possible to use any one-time password system to authenticate transactions!. All you have to do is ask for an additional one-time passcode before you process the transaction. This is incredibly simple and would stop a good number of MITM attacks.
Second, don't think that all one-time password systems operate in an enclosed hardware case and will never be capable of cryptographically secure mutual authentication.
Cryptographers seem to think that if a solution fails one time it isn't worth using even though it stops 9 other attacks. You don't need to wipe out online fraud. What you need to do is maintain minimize the risks to an acceptable level and maintain the public's faith in the banking industry. If people start putting their money under their mattresses again, we're in for a big recession.
- Category(s)
- Two Factor Authentication
- Phishing and Fraud
- The URL to Trackback this entry is:
- http://www.wikidsystems.com/WiKIDBlog/68/tbping
Digg this!
Del.ico.us
Google
Yahoo bookmarks
Reddit
Spurl
Simpy
Hmmm.... hard to see how that could be beaten.
What would be some examples of two-level authentication systems that don't require separate hardware that can be lost or can malfunction?
As for examples of authentication systems that don't require hardware, look no further ;). WiKID can run on a Windows, Mac, Linux, Palm, PocketPC, J2ME, Blackberry etc. You can run it on a USB drive if you like.
The interesting thing about using a PC-based token that is network aware, such as WiKID, is that you can tackle the second problem mutual authentication. Expect some news on this front soon.
The trouble is not that OTP stop 9 other attacks, its that they stop 9 other attacks by people who ignore the yellow tape. The most obvious attack is to present a "login failed, please try again in 60 seconds" message, and use the second time token to authenticate not the login, but the transaction.
With WiKID a bank can set up more than one WiKID 'domain' and a the token client can support more than one domain as well, even across servers. The bank sets up one domain for session authentication and another for transactions.
When the user logs in they are asked for a passcode from the "Bank Login" domain. When they try to process a risky transaction, they are asked for a passcode from the "Transactions" domain.