Enterprise security architects are traditionally very wary of systems that rely on 3rd parties for access, uptime or security. Ironically, many of these same architects deployed RSA SecurID systems not considering (or heavily discounting) the fact that RSA kept copies of the seeds for licensing purposes.
My intention here is not to pile on RSA, but rather to clarify the root cause because as organizations evaluate options to SecurID, they are often making the same mistake: Relying on a security vendor's infrastructure - or worse, using a system like SMS, where the provider is not even a security vendor! That's not to say that some organizations might be better off using a service, but that they should be aware of the risks. Just as some organizations will be better off "in the cloud" while some will not.I dislike all the confusion around two-factor authentication. Security people seem to ignore the difference between shared secrets and asymmetric encryption, services and software, etc. I don't know why that two-factor authentication is such an emotional issue. Pundits like to say things like "too little, too late"
about it. Excessive negativity does nothing to increase security.
There are two big trends occurring now: an increase adoption in two-factor authentication due to cloud-based services and compliance requirements such as PCI and a re-evaluation of the price/benefit of expensive hardware tokens (which started well-before the RSA attack). It is my hope that organizations will make intelligent decisions about the products they choose based on their risk profile and capabilities. It is my concern that we are not giving any clear thoughts on the matter.