Posted by:
admin
15 years, 7 months ago
I certainly agree with many parts of the recent essay and the interview on Computer World by Bruce Schneier, but I think it misses on a few key points and borders on pandering for press.There is more to strong authentication than two-factors
He seems to believe that SecurID and SMS systems tokens are the only form of two-factor authentication. Do a small bit of research and you may find some other solutions that offer a lot more than just two-factor. Bi-lateral authentication solves the man-in-the-middle attack. To say "See how two-factor authentication doesn't solve anything?" is just wrong.
In the interview: "as more and more financial institutions start implementing two-factor authentication, the banks will start seeing diminishing returns". This is econ 101. Everything moves toward diminishing returns, unless you have an inefficient market. Doesn't mean you shouldn't invest.
"Too Little, Too Late". Strikes me as pandering for a headline. You could say the same thing about anti-virus and patch management. As soon as zero-day exploits are a fact of everyday life, then there is no point in patching. Why bother?
"The problem isn't how to secure the user's computer or how to authenticate. The problem is fraudulent transactions. And the solution is to make the financial institutions liable for fraudulent transactions." They are all "problems". From an economic perspective, making the banks more liable (because they certainly have some liability now) may be the best way to regulate. Certainly better than requiring two-factor authentication. However, authentication and poor end-user security and fraudulent transactions are all problems and there are solutions for them.
The banking industry might prefer this as well. It makes a very level playing field and the big banks know that the returns will diminish and other banks will benefit from their pioneering. While the big banks invest in two-factor early and get better returns, they know that smaller players will 'follow fast' and get the same returns as costs drop.
I prefer the term strong authentication for what we do, because I see us moving beyond just two-factor and being able to react/combat ttacks that a simple token cannot. Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)