Skip to main content

a-response-to-bruce-schneiers-the-failure-of-two

I certainly agree with many parts of the recent essay and the interview on Computer World by Bruce Schneier, but I think it misses on a few key points and borders on pandering for press.

There is more to strong authentication than two-factors

He seems to believe that SecurID and SMS systems tokens are the only form of two-factor authentication. Do a small bit of research and you may find some other solutions that offer a lot more than just two-factor. Bi-lateral authentication solves the man-in-the-middle attack. To say "See how two-factor authentication doesn't solve anything?" is just wrong.

In the interview: "as more and more financial institutions start implementing two-factor authentication, the banks will start seeing diminishing returns". This is econ 101. Everything moves toward diminishing returns, unless you have an inefficient market. Doesn't mean you shouldn't invest.

"Too Little, Too Late". Strikes me as pandering for a headline. You could say the same thing about anti-virus and patch management. As soon as zero-day exploits are a fact of everyday life, then there is no point in patching. Why bother?

"The problem isn't how to secure the user's computer or how to authenticate. The problem is fraudulent transactions. And the solution is to make the financial institutions liable for fraudulent transactions." They are all "problems". From an economic perspective, making the banks more liable (because they certainly have some liability now) may be the best way to regulate. Certainly better than requiring two-factor authentication. However, authentication and poor end-user security and fraudulent transactions are all problems and there are solutions for them.

The banking industry might prefer this as well. It makes a very level playing field and the big banks know that the returns will diminish and other banks will benefit from their pioneering. While the big banks invest in two-factor early and get better returns, they know that smaller players will 'follow fast' and get the same returns as costs drop.

I prefer the term strong authentication for what we do, because I see us moving beyond just two-factor and being able to react/combat ttacks that a simple token cannot.
Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom