two-factor-authentication-hysteria-continues

As I predicted, the hysteria around the , well, hysteria in the information security blogosphere, which is a pretty small part of the blogosphere.

As I discussed before, this is a failure of mutual authentication not two-factor authentication. Here are some the headlines:

• Fraudsters defeat two-factor authentication
• Phishers rip into two-factor authentication
Phishers crack two-factor authentication

On the other hand, and sadly in the minority, zencoder has it right: Pundits Blaming 2-Factor Authentication…Again

you can’t use 2-factor authentication to protect a telnet session and expect it to be valid hosts guaranteed on both ends…telnet doesn’t have that sort of capability built into the protocol; but that’s not a problem with the 2-factor auth.

Security Curve, is also on the right track regarding two-factor authentication:

This proves the point that I've been trying to make for the past two years - namely, that the reason that phishing works is not because we don't have sufficiently robust user authentication. No, the reason that phishing works is that we don't have sufficient authentication of the server. Mark my words - you could use as many user authentication vehicles as you want and phishing is still a possibility.

IMO, you need mutual authentication - better host authentication and better user authentication - and add on better transaction authentication to make financial services acceptably secure online.

I think we do as much of a disservice to the Internet community when we inaccurately blame technology as when we inaccurately promote it as a silver bullet.