How beneficial are multi-factor authentication schemes?

* We may soon be using passwords plus PINs for authentication

Are passwords passé? A couple of weeks ago, the "Seattle Post-Intelligencer" ran an Associated Press story that described various multi-factor authentication schemes, such as password-plus-biometric and smartcard-plus-password.

<aside> The story I saw in the "Seattle Post-Intelligencer" was headlined "Goodbye simple password, hello PIN-plus: '2-factor ID' system takes worry out of cybertrade." You may have read this same story in a different publication with a different headline. The AP sends out the story, but each publication is free to put its own headline on it. It gives the editor something to do. (My editor, of course, does a lot more than just pick headlines!) </aside>

The gist of the story is that passwords are too "static" for good security. Where 10 years ago we debated how often to require users to change passwords, the feeling now is that for best security a password should be changed each time it's used. Of course, most users wouldn't put up with a system that demanded they change their password each time they authenticated nor would they be able to remember the password they'd chosen, leading to lots of sticky notes hanging off their monitor with the current password written down.

At the end of the last century, many believed that for authentication passwords would be replaced by tokens or smartcards, carried by users and fed into a reader, or via radio frequency identification tags read by a proximity device. It was quickly realized, though, that a lost or stolen token could be a real security threat. Early biometric experiments were even more fraught with problems. While a lost smartcard could be invalidated and replaced, what could you do when your fingerprint data was compromised - get a new finger?

Today's solution is to combine smartcard/tokens or biometric readings with password protection. The lead paragraph in the AP story describes a system used by a Swedish bank to protect online transactions. From their Web browser, the user enters a unique "username," which in this case is a national ID number, similar to the U.S. Social Security number and a 4-digit PIN. There's more, though.

Each user is given a small card - like a scratch-off lottery ticket - with 50 covered cells (the user is automatically sent a new card when the old one is almost used up). Scratch the covering off a cell and reveal a code.

Once the ID number and PIN have been entered, the user needs to enter the next code from the scratch-off card. The card itself carries no identification of the user, so if it's lost it can't be compromised. Still should the card be stolen the thief presumably would know who it was stolen from and could discover their national ID number and guess at their PIN (one of 10,000 possible numbers). Is that secure enough? Possibly, but there's an important factor that needs to be taken into account, and I'll get deeper into that consideration in the next issue.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10