Skip to main content

bob-blakely-and-radovan-semanek-on-the-end-of

Bob Blakely and Radovan Semančík are blogging about two-factor authentication and the problems with passwords. Bob thinks we should get rid of passwords this decade. Radovan thinks that it may be harder than that.

I have three comments. First, I think too many people are looking for the single two-factor authentication solution that will end passwords. I think that is overkill. What users need is a handful of strong authentication options that will replace the hundreds of passwords they have now. Some could be on your PC, some on a cell phone or pager, some on a USB token.

A user might have a PC-based token that handles mutual authentication. This would eliminate the man-in-the-middle attacks that Bob points out. It forces the attackers to use a Trojan horse, but as Bob points out, that is a lot harder to do.

Or, a user might have a cell-phone based token that supports both session authentication and transaction authentication. Then, they can do online banking on a public wifi connection without fear that a MITM will clear their account.

Or, a user could have a browser-based token for sessions and host/mutual authentication and a cell-phone based token for transaction authentication. Users may have OATH tokens, RSA tokens, maybe even WiKID, but they will definitely have more than one.

Radavon points out that shared-secret strong authentication will result in at least dozens of tokens on a key chain. I have posted before about this issue. Short-answer: use public keys and not shared secrets. This is a problem I have with OATH.

IMO, the biggest thing we can do to start getting rid of passwords is to have a free option. That's the main reason we open-sourced WiKID. Users have far too many passwords. Some are really important and some just aren't. There's no reason to use biometrics to log into MySpace.

Second, seems like people dis strong authentication because it so susceptible to spyware. Well, strong authentication doesn't stop spyware. Anti-spyware stops spyware.

Third, I like Pamela's idea in Bob's comments of a Tamagotchi token you have to feed. Pam: If it runs J2ME, we can do it ;).
Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom