Skip to main content


Passwords have been around forever and it's starting to show. The next level of authentication security is two-factor authentication. Your ATM card is an example of two-factor authentication: you need both possession of the card and knowledge of the PIN to get cash. There are a number of factors that are pushing two-factor authentication toward a tipping point.

  • Compliance - Increasingly companies are deploying two-factor authentication because they are forced to. The credit card companies are requiring merchants and payment processors to meet the PCI Data Security requirements, which require two-factor for remote access to their networks. Banks are subject FFIEC guidelines which are promoting two-factor authentication.
  • Risks are increasing - Hackers are now coin-operated - the do it for the money. And there are many ways for them to make money with stolen information with very little risk of being arrested. Hackers are targeting corporations in very targeted, hard-to-stop ways. Defense in depth will be required and two-factor authentication will be used for employee remote access and also inside the firewall for key systems and admin accounts.
  • Ease of use - There are more two-factor solutions today. Some run on USB drives, some on cell phones and Blackberries, some on PCs. We even have a Firefox extension. These options are more convenient than tokens and in some cases, more convenient than passwords.
  • Cheaper - All these options are driving prices down, making two-factor authentication less expensive than passwords - because resetting passwords costs money too. WiKID provides both a commercial version and an open source version.
  • Password overload - People have more and more accounts on-line and more and more passwords. They either re-use passwords, use simple, breakable password or forget them.
  • Private Personal Information - It's everywhere. If you have an HR database you have information that is valuable to hackers. They can be on the other side of the world and sell personal information on the Internet.
  • Single Sign-On - There are a number of great single sign-on projects today (InfoCards, OpenID, Higgins,etc) These tools promise to reduce the number of accounts and passwords you have. At the same they put a lot of eggs in one basket and you need to protect that basket.
  • SaaS - Software as a Service is exploding thanks to web-based apps like, Google Apps for your Domain, Amazon Web Services and all the great web 2.0 applications. The weakest link in the security of these applications is the passwords. It is far simpler to steal a user's password than try to break into the server or decrypt the SSL tunnel.
  • Increasing value of intangible items - The Internet has created new intangible items that have value: your eBay reputation or virtual money in Second Life for example. Access to these items is totally based on your credentials and you will want to protect them as there have already been examples of Stealing real identities to steal virtual items to sell for real cash

On the otherhand, there are some of the reasons you might not see true two-factor authentication in the near future:

  • The secret second factor - Cookies, flash objects, IP addresses and MAC addresses can be used surreptitiously to attempt to validate a computer or browser. However, these are easily spoofed or actively deleted by the user. If you are a regular cookie deleter or have privacy software that deletes them for you, you might find that you get asked additional "security questions".
  • More of 1 Factor authentication - You might see more of one factor instead of two factors. The best example of this is the "security questions" referred to above. Have more of one factor does not make it two factor. Two different factors are required because the attack complexity increases.
  • Misguided expectations for two-factor authentication - Deploying it won't solve all your problems. Moreover, some financial institutions are deploying in a sub-optimal way. For example, some banks are using tokens for session authentication which, without mutual authentication, is still vulnerable to Man-in-the-Middle attacks or browser vulnerabilities. This could cause a backlash against two-factor. They should use the one-time passwords to validate transactions rather than the sessions. After all they are trying to stop fraudulent transactions.

What did I miss?

Current rating: 2.3

Recent Posts







RSS / Atom