News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Martin McKeay's picture
Martin McKeay

Security Matters

More posts | Read bio

September 22, 2006 - 8:26 A.M.

Use two-factor authentication, unless it's too hard

3 comments

Banks have been told that they need to start using two-factor authentication to verify their customers' identities by the end of this year.  More accurately, it's been strongly suggested, but there's no mandate and no penalty for not doing so.  And guess what, if there's no penalties for not doing so, they probably won't.

I feel for the banks; the effort to support two-factor authentication in an enterprise, where you control the configuration of 95% of the hardware (be realistic, few of us actually have control of 100% of our systems) is not a minor issue.  Imagine a situation where you not only have to support  Windows and Mac users, but you've got multiple versions of each OS with a possible Linux user thrown in occasionally.   Not only that, the the technical abilities of your end-users will range from computer scientists and hackers all the way to folks who can barely find the power button on the front of the computer.

I don't think I like the solutions the banks are coming up much better than the current situation.  I had a talk with Ravi Ganesan of TriCipher several months ago, and the crackers already have ways to overcome most of the 'single factor+' authentication methods.  They involve things like botnets, man-in-the-middle attacks, and viruses, so single factor+ is better than a simple password, but I'm not sure that the additional effort is actually worth it.  Additionally, the extra information a customer is required to send each time they use a new system may actually reduce their overall security; an attacker can still fool a customer into giving up the information, and now they'll know a lot more about the victim, allowing for other attacks and possibly identity theft.

There are no simple solutions to this issue.  One I've heard mentioned before, but not seen lately, is having a one-time PIN sent to the phone number of record for the customer.  This doesn't solve the problem for everyone, but for the people who have cell phones or only do their online banking from home (a good idea anyways), this works as an excellent form of two-factor authentication.  Someone probably has a way to break this too, and there are probably a number of situations where this won't work either.  But I feel safer getting a phone call from my bank than I do having to give up a lot of private information again.  And again.

What People Are Saying

Add new comment

Somewhat odd, but something

Submitted by Marvin Barley on October 2, 2006 - 7:32 A.M.

Somewhat odd, but something must be done with credit card system ASAP.
All additional security mechanisms put on i.e. my Master Card are as useful as until used in wrong place first time. Then, after running on a single phisher, there is virtually no method of proving I am not using credit card, chopping it to pieces won't help, I must have 24x7 service in bank to call immediately to cancel card and lock account.
In effect, a method is needed to verify each transaction, even if it causes transaction delay measurable in hours or days. One time passwords or challenge/response mechanisms ought to be used.
What is needed?
1. I make online purchase.
2. Site sends bill.
3. I sign bill with my secret key. If secret key is compromised, I can immediately change secret key/public key pair and assign for new one at my bank
4. Site sends my signed credentials to my bank.
5. Bank approves or not approves transaction, depending on my bank account status and balance.
5a. Bank sends to me the bill for veification. I can approve or not approve charge and amount on bill. Now it is based on confidence, which is not very good if you pay to anonymous site of certain character that is on unknown address in unknown country, and you don't know whom to sue in case of disputed charges.
5b. I sign the bill with my secret code and reply to bank.
6. Online site acknowledges my purchase, as it has been wired money.
7. I am sent goods or service.

You not that 5a and 5b introduce a delay, but then the system is practically PGP-strength proof on identity theft.

Since all data is transfered via a challenge/response method, identity theft is useless, since no data is valid twice.

If secret key is stolen or lost, credit card number does not have to be changed, neither there is a need to issue new physical card: a call or visit to online site is enough to cancel old secret key/public key pair, with time of cancellation, and all later uses of that key pair will be invalid, rejected and reported to some authority on suspicion of fraud.

WHO WOULD USE SUCH SYSTEM? When we know that additional complexity prevents people from using PGP?

It should be seemlessly incorporated into major browsers. Optional new protocol or existing protocol extension is required.

Physical token is optional.

This works this way:

1. Enter card number on purchase site.
2. Site makes online connection to your bank.
3. Bank sends challenge with scrambled charge amount
4. Site proxies challenge
5. You see challenge, open token, and type in response, acknowledging amount
6. Site proxies your response to bank
7. Bank wires money
8. Site delivers goods or service

This has the strength of the bank's challenge/response algorythm. In case of broken/compomised algorythm, malicious online site could decrypt your token's state from your reponse and authorize greater amount of money, forging also challenge, but this is a full compromise of bank anyway, rather unlikely to happen, or say much less likely that possibility of compromise if paid pirate software over the net on pirate site, or some other content.

The possibility of phishing is drastically reduced in both cases, since phishing site cannot emulate neither bank's secret key/public key algorythm, nor challenge/response algorythm, except in case where bank itself is compromised, or not even then if the strentgh is depending on encryption rather than on trust to bank's personnel.

In case of actual phishing site, all compromised information is used exactly once, and the charge amount is controlled and known in advance, so the damages are lesser by order of magnitude compared to full identity theft with series of charges from many sources to the account.

The existing ceredit card system in unusable, and it is based on weakest link strategy: credit card account is as sure as the weakest site where credit card number was used and/or deposited.

It will break inevitably, sooner or later.

It has to be replaced completely, or strenghtened with tokens or OTPs at least.

Thank you if you've read this far into this comment.

Report this comment

As a technical tool,

Submitted by Roberto on September 27, 2006 - 6:19 A.M.

As a technical tool, two-factor authentication solves user authentication issue to a degree. However, the whole security system can still be defeated if other areas are attacked. In security games, each tool has its limitation and is useless if not used properly or no adequate process is in place.

Report this comment

[Full disclosure: this

Submitted by Paul Barrett on September 26, 2006 - 4:55 A.M.

[Full disclosure: this comment refers to technology developed and marketed by my company. However, I think that you will find that we have a serious contribution to make to the strong authentication debate.]
There is another very unique authentication technology that you should be aware of. It is based on peoples' innate ability to recognize familiar faces and has characteristics from two conventional authentication classes: knowledge factors and biometrics. I leave you to judge whether it qualifies as a new class of authentication (we call it a cognometric or recognition-based authentication) and as a true second factor or as single factor plus. Please check it out at www.passfaces.com.

Report this comment

Related Posts

ACEs ace Turing test? Errr, no.
Learn the VA lesson NOW
California wildfires: new tech helps victims (and don't read this)
DHS gets spammed with its own reports

Today's Top Stories

Microsoft confirms IE6, IE7 zero-day bug
iPhone worm steals online bank codes, builds botnet
HP sees PC sales jump in China
Update: HP reports solid Q4 on services growth
PC market crash averted, says Gartner
Jolicloud eyes Chrome OS's thunder
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.