Skip to main content


Bob Blakely and Radovan Semančík are blogging about two-factor authentication and the problems with passwords. Bob thinks we should get rid of passwords this decade. Radovan thinks that it may be harder than that.

I have three comments. First, I think too many people are looking for the single two-factor authentication solution that will end passwords. I think that is overkill. What users need is a handful of strong authentication options that will replace the hundreds of passwords they have now. Some could be on your PC, some on a cell phone or pager, some on a USB token.

A user might have a PC-based token that handles mutual authentication. This would eliminate the man-in-the-middle attacks that Bob points out. It forces the attackers to use a Trojan horse, but as Bob points out, that is a lot harder to do.

Or, a user might have a cell-phone based token that supports both session authentication and transaction authentication. Then, they can do online banking on a public wifi connection without fear that a MITM will clear their account.

Or, a user could have a browser-based token for sessions and host/mutual authentication and a cell-phone based token for transaction authentication. Users may have OATH tokens, RSA tokens, maybe even WiKID, but they will definitely have more than one.

Radavon points out that shared-secret strong authentication will result in at least dozens of tokens on a key chain. I have posted before about this issue. Short-answer: use public keys and not shared secrets. This is a problem I have with OATH.

IMO, the biggest thing we can do to start getting rid of passwords is to have a free option. That's the main reason we open-sourced WiKID. Users have far too many passwords. Some are really important and some just aren't. There's no reason to use biometrics to log into MySpace.

Second, seems like people dis strong authentication because it so susceptible to spyware. Well, strong authentication doesn't stop spyware. Anti-spyware stops spyware.

Third, I like Pamela's idea in Bob's comments of a Tamagotchi token you have to feed. Pam: If it runs J2ME, we can do it ;).
Currently unrated

Recent Posts







RSS / Atom