Skip to main content

two-factor-authentication-hysteria-continues


As I predicted, the hysteria around the , well, hysteria in the information security blogosphere, which is a pretty small part of the blogosphere.

As I discussed before, this is a failure of mutual authentication not two-factor authentication. Here are some the headlines:

On the other hand, and sadly in the minority, zencoder has it right: Pundits Blaming 2-Factor Authentication…Again

you can’t use 2-factor authentication to protect a telnet session and expect it to be valid hosts guaranteed on both ends…telnet doesn’t have that sort of capability built into the protocol; but that’s not a problem with the 2-factor auth.

Security Curve, is also on the right track regarding two-factor authentication:

This proves the point that I've been trying to make for the past two years - namely, that the reason that phishing works is not because we don't have sufficiently robust user authentication. No, the reason that phishing works is that we don't have sufficient authentication of the server. Mark my words - you could use as many user authentication vehicles as you want and phishing is still a possibility.
IMO, you need mutual authentication - better host authentication and better user authentication - and add on better transaction authentication to make financial services acceptably secure online.

I think we do as much of a disservice to the Internet community when we inaccurately blame technology as when we inaccurately promote it as a silver bullet.

Current rating: 2.3

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom