2006/01/10
More on Layered Authentication
Ok, I slagged the concept of 'layered' authentication as a marketing neologism in my response to Eric Nolan's identity predictions for 2006. I was overcome by prediction hysteria. I've got to calm down...
Here's the problem with most of the pitches I have seen for "layered authentication". Let's start with an actual pitch:
"Moving beyond the two-factor or multifactor authentication solutions available in the market today, the multi-layered approach provides a stronger form of authentication without compromising the online banking experience for end users. In addition to a user name and password, Intelligent Authentication leverages multiple patterns of online banking behavior and attributes of the online banking user to determine when it is necessary to block or challenge suspicious visitors."
I have a few problems with this:
1. "Moving beyond..." Let's judge the strength of the solution based on it's relative security. To break this security, all you need to do is a MITM replay attack, use a session hijacking trojan and/or know the user's challenge information. This really hasn't moved beyond.
2. What value is here? It's easy to log IP address, plant cookies, etc. I hope this is a free service. It's also easy to know which transactions are suspicious - the ones where money leaves an account.
3. A large number of users will absolutely hate this. They delete cookies, use WiFi in weird places and use multiple computers. They also have lots of money.
To me, layered authentication means session, host/mutual and transaction authentication. I think authentication needs to be consistent and involve the user. Using tools like cookies, which rely on DNS and are hidden from the user, aren't optimal solutions.
Here's the problem with most of the pitches I have seen for "layered authentication". Let's start with an actual pitch:
"Moving beyond the two-factor or multifactor authentication solutions available in the market today, the multi-layered approach provides a stronger form of authentication without compromising the online banking experience for end users. In addition to a user name and password, Intelligent Authentication leverages multiple patterns of online banking behavior and attributes of the online banking user to determine when it is necessary to block or challenge suspicious visitors."
I have a few problems with this:
1. "Moving beyond..." Let's judge the strength of the solution based on it's relative security. To break this security, all you need to do is a MITM replay attack, use a session hijacking trojan and/or know the user's challenge information. This really hasn't moved beyond.
2. What value is here? It's easy to log IP address, plant cookies, etc. I hope this is a free service. It's also easy to know which transactions are suspicious - the ones where money leaves an account.
3. A large number of users will absolutely hate this. They delete cookies, use WiFi in weird places and use multiple computers. They also have lots of money.
To me, layered authentication means session, host/mutual and transaction authentication. I think authentication needs to be consistent and involve the user. Using tools like cookies, which rely on DNS and are hidden from the user, aren't optimal solutions.
- Category(s)
- Two Factor Authentication
- Mutual Authentication
- The URL to Trackback this entry is:
- http://www.wikidsystems.com/WiKIDBlog/88/tbping
Digg this!
Del.ico.us
Google
Yahoo bookmarks
Reddit
Spurl
Simpy
