ETrade announced that they would be offering RSA SecurID key fob tokens to account holders with more than $50,000 in assets.

In general, I look at this a good news for the industry. As RSA will tell you, only about 15% of all remote and mobile workers use two-factor authentication. If they number is correct and it grows on a normal curve, look out! It will be a big rising tide and should lift the WiKID boat as well. So anything that promotes two factor authentication in general is good. It is after all an absolutely huge market. And it is far, far more secure than using passwords. (I guess it is too expensive, though, for all ETrade customers ;).

However, I want to point out something that Adam Shostack pointed out to me: using two-factor alone doesn't stop phishing! . It would be trivial for a phisher to login to ETrade automatically within the 60 second passcode lifetime of SecurID. In fact, users might be lulled into a false sense of security by the use of the tokens and be more likely to succumb to a phishing scam.

At this point in time, WiKID is no better. However, we have thought about making our PC token launch the default browser to the correct SSL-certified page (perhaps even to the correct IP Address to avoid a poisoned DNS cache?). By making it easier for the user, they are less likely to go to a fake page. Thoughts?

A great analogy: strong authentication is like Penicillin for your network security

To qoute:
"Many, but not all, security problems will be solved if we can get away from reusable passwords. Here's a simple example: imagine if ATM machines didn't require an ATM card to dispense cash. Anyone who knew your account name and PIN could walk up, type them in, and empty your account. There is still ATM fraud today - cards can be counterfeited, PINs stolen or guessed, etc - but imagine the level of problems we would have if physical possession of the ATM card was part of ATM security."

I have often used the ATM analogy when explaining to non-IT people what WiKID does, but I have never used it this way. More impactful.

I have come across a number of sites across the Internet that discuss why strong authentication is a good idea and many go into good detail (such as http://mongers.org/authentication , but I haven't ever seen a broad discussion of the reasons why in one place.

As noted in the previous post, you get a lot of benefits by deploying two-factor authentication, but what are they?

I figured the best way to get a comprehensive analysis was to create a Wiki and let the good folks of the Internet do the work for me. I have gotten it off to a start, but I'm sure there is plenty to add.

Presenting the The Why You Need Strong Authentication wiki. Please contribute! (and let me know if there are problems ;)

I certainly agree with many parts of the recent essay and the interview on Computer World by Bruce Schneier, but I think it misses on a few key points and borders on pandering for press.

There is more to strong authentication than two-factors

He seems to believe that SecurID and SMS systems tokens are the only form of two-factor authentication. Do a small bit of research and you may find some other solutions that offer a lot more than just two-factor. Bi-lateral authentication solves the man-in-the-middle attack. To say "See how two-factor authentication doesn't solve anything?" is just wrong.

In the interview: "as more and more financial institutions start implementing two-factor authentication, the banks will start seeing diminishing returns". This is econ 101. Everything moves toward diminishing returns, unless you have an inefficient market. Doesn't mean you shouldn't invest.

"Too Little, Too Late". Strikes me as pandering for a headline. You could say the same thing about anti-virus and patch management. As soon as zero-day exploits are a fact of everyday life, then there is no point in patching. Why bother?

"The problem isn't how to secure the user's computer or how to authenticate. The problem is fraudulent transactions. And the solution is to make the financial institutions liable for fraudulent transactions." They are all "problems". From an economic perspective, making the banks more liable (because they certainly have some liability now) may be the best way to regulate. Certainly better than requiring two-factor authentication. However, authentication and poor end-user security and fraudulent transactions are all problems and there are solutions for them.

The banking industry might prefer this as well. It makes a very level playing field and the big banks know that the returns will diminish and other banks will benefit from their pioneering. While the big banks invest in two-factor early and get better returns, they know that smaller players will 'follow fast' and get the same returns as costs drop.

I prefer the term strong authentication for what we do, because I see us moving beyond just two-factor and being able to react/combat ttacks that a simple token cannot.

There has been much discussion recently about session hijacking attacks. Briefly, a trojan sits on your machine and when you go to an online banking URL, the trojan kicks in and makes a fraudulent transaction inside your SSL-encrypted sesssion. Pretty strong strong stuff, seemingly.

Bruce Schneier points to this as evidence that strong authentication is "too little, too late". Unfortunately, Mr. Schneier is authenticating the wrong thing (or just not enough). If you used strong authentication for the transaction as well as the session, you have successfully thwarted the hijacker.

Picture it this way: you log in with your useraname and one-time password. You can see balances, etc. The trojans kicks in and writes out a check to a fraudulent account. However, before the transaction is completed, the online bank asks for another one-time password before it will process the transaction. The trojan can't provide it and it fail. In the meantime, the user selects some bills to pay, enters their one-time passcode and is done.

Forrester Research is urging banks to adopt additional security to fight phishing and other forms of fraud, including strong authentication.

"Two-fifths of the European internet users who don't use online banking say they are holding back because they worry about security, according to a survey of nearly 23,000 Europeans by Forrester Research." - from the article on silicon.com The research also indicates that some people have stopped doing online banking because of security concerns.

"Banks should look to educate net users about security precautions, not let usability fears compromise security, deploy or strengthen two-factor authentication urgently, and collaborate rather than compete on security," according to Forrester.

Looks like the report was finished before Bruce Schneier's , which I have already discussed more than once already ;) previously. To sum, he misses on a couple of poinsts: 1. You can strongly authenticate the transaction as well as the session to avoid sessions hijacking and 2. There are other forms of strong authentication besides brain-dead hardware tokens that can fight DNS Cache poisoning and other man-in-the-middle attacks. We'll see if Forrester picks a fight!

You can also find the article on Out-Law.com

Network World has given Bruce Schneier a chance to clarify his position that strong authentication is "Too Little Too Late" and has given RSA's CTO, Joe Uniejewski, a chance to rebut.

While Schneier does clarify that he's not against strong authentication, he seems to think it's not going to be effective against identity theft and fraud. He references the fact that credit card companies pay little attention to authenticating the identity of the individual and focus on authenticating the transaction. However, he seems to think that two-factor authentication can't do this! As I have discussed before why not?? This seems like a great solution. Log in with your password, but when you want to do a transaction, give us the one-time password.

Uniejewski's response misses this fact, unfortunately. He indicates that RSA is looking at ways to "raise the standard authentication interfaces".

Both authors agree that passwords are past their prime.

It's a complex issue that threatens online banking and ecommerce. There are a number of attacks on the client, the servers and the network that make it difficult for one single solution to fix all the problems. If you look at the credit card processing systems and ATM systems out there, you can see the complexity that has developed to address security. It is important to remember that it is an ongoing battle and also that the risk needs to be minimized to a point where it can be insured against.

As pointed out by Adam at Emergent Chaos:

The company said that the 59 identified incidents -- 57 at Seisint and two in other LexisNexis units -- largely related to the misappropriation by third parties of IDs and passwords of legitimate customers and stressed that neither LexisNexis nor the Seisint technology infrastructure was breached by hackers.

So, essentially, if LexisNexis had been using strong authentication for their customers, none of this would have happened.

I'm starting to think (well, have been for awhile) that the big market for strong authentication will be in customer access, not your typical VPN access as it is today. I predict that the number of customer two-factor authentication users will exceed the number of employee two-factor authentication users in two years.