Well done! Tell us all something we don't know. :-p

Most european banks are already using two factor authentication, be it with SMS, securID tokens or the challenge "calculators" in which you insert a smartcard.

Defend Against Email Viruses All at No Cost to You!

This essay will appear in the April issue of Communications of the ACM.

From the EULA of their software:

The point is to reduce the amount of time that a captured password is valid. Since the fob output is typically only valid for a minute this means that any attacker would either need a very complex automated system or would need to be sitting there waiting for you to log in to your bank instead of just putting up a keylogger or traffic logger and coming back next week. This significantly raises the bar for an attacker and for the cost is some of the best risk reduction you can get.

As long as this is part of the key, the key will have its faults.

The attack is basically what Bruce described. In the case of a Man-in-the-Middle attack, there is basically a proxy/app gateway that presents a fake bank website to the user and acts as a client to the real bank website. This proxy/gateway just passes whatever authentication the user inputs on to the real bank website. Depending on the sophistication of the malicious proxy/gateway, it can then do whatever it wants with the real bank website and present whatever it wants back to the user (user could see web pages that look like they completed a valid transaction, but the proxy/gateway did something completely different with the real bank website). This attack works because the user doesn't properly verify that they are communicating with the real bank website.

I see your point, though, and agree that "two-factor authentication isn't our savior".

Any comments on my two cents!!!

I say Microsoft's CeBIT announcement that they are moving to two-factor authentication is a good sign, as is their move towards leveraging identity technology already deployed:

This is certainly a rather lively discussion!

When I take a step back from this blog entry, what I see is a message that too many companies have built authentication systems on a very weak foundation, so they now must spend a lot of money trying to improve security and win the trust of their customers. But the reality is that they will soon have real choices with regard to stronger authentication, fed by real demand. And I predict that the right combination of investment and demand, based on regulation (self or imposed), will actually lead to innovations and a drop in the amount of fraud and identity theft.

(and this has been a kool discussion ;)

So which is it? Are you just warning everyone against thinking two-factor authentication is some sort of security panacea? Perhaps this is in response to the flurry of comments on your blog regarding remote access to a utility:


3 - Do you have a better idea? Is there any reason you couldn't use this -with- that better idea?

In my personal opinion, given that:

Given these arguments, if I had to make a huge deployment TODAY for an Online Banking site, I wouldn't put my money into it. It simply doesn't pay (!).

The Trojan couldn't succeed because of the need to capture two TANs, not only one.

Peter Iannarelli (and all the other folks :) ),

and I continue: "or let itself in through a vulnerability and grabed a feature (like hooking the keyboard)". And please, let's not talk about common users doing maintenance. It just isn't real. Either the system is selfhealing or, at least, we have to make [the core of] it as stateless as possible. (and one last point: let's try to keep the core and the apps as simple as we can; there are some features that shouldn't be there in the first place, e.g. Browser Helper Objects ?!? Come on...)

You're quoted in an InfoWorld interview of March 11 as saying the following:

Other than that, it'd be rather good :)

Piglet makes a great point about non-"US systems". On another one of your blog comments, we know that China is already deploying USB fobs for bank authentication (according to Paul Chen)