Is two-factor authentication really that great?

By Ellen Messmer, NetworkWorld.com, 03/21/05

With E*Trade Financial and Bank of America, among others, eyeing two-factor authentication tokens as a way their retail customers could log into online accounts rather than simple passwords, expectations are high that this form of improved security will provide a means to beat the fraudsters using phishing and trojans to hijack accounts. However, security expert Bruce Schneier is skeptical, arguing that this decades-old technology is a solid approach for local log-in for corporate networks, “but it won’t work for remote authentication over the Internet."

Schneier, an encryption expert and chief technology officer at Counterpane Internet Security, flatly comes out and says, “Two-factor authentication isn’t our savior. It won’t defend against phishing. It’s not going to secure online accounts from fraudulent transactions."

These arguments, put forth in his essay “Two-Factor Authentication: Too Little, too Late," can be found at is weblog, and will also be published in the April issue of “Communications of the ACM."

In his essay, Schneier argues that two-factor authentication “solves the security problems we had 10 years ago, not the security problems we have today," most pointedly pfishing and trojans secretly installed on the victim’s desktop to steal personal information.

Against trojans and phishing scams, two-factor authentication -- which improves over simple passwords by providing a dynamic password that changes every minute or so -- presents an incomplete defense, Schneier contends.

Schneier points to the so-called “man-in-the-middle attack," in which an attacker puts up a fake bank Web site and entices the user to type in his password. The attacker still has the opportunity to use a dynamic password to access the bank’s real Web site. In the case of the trojan secretly installed on the desktop, the attacker piggybacks on the log-in session after the user has logged in via two-factor authentication.

Despite his contrarian view, Schneier does acknowledge that use of two-factor authentication tokens among online accountholders may bring about a “significant drop in fraud for a while as attackers move to easier targets."

But he predicts that over time there will only be a small drop in the amount of fraud and identity theft because attackers will refine their methods to cope with two-factor authentication if it’s widely deployed for consumer online accounts.

When I asked Schneier what workable alternatives he sees, he replied, “The problem is fraudulent transactions. Think about credit cards. As long as fraud was the responsibility of the cardholder, the credit-card companies never bothered improving security. But as soon as fraud was their problem -- cardholders only had a $50 liability -- they did a lot to improve security. And they never worried about how well the cards were stored in the users’ wallets; they concentrated on fraud detection in their own databases. As soon as we make financial institutions liable for on-line fraud, they’ll figure out how to manage the risk."

The U.S. regulatory agency Federal Deposit Insurance Corp., last December also expressed hope financial institutions would improve online fraud detection techniques.

Last week, some two-factor authentication token vendors took umbrage at Schneier’s essay.

Vasco Data Security, which makes the Digipass token product, responded with a written statement headlined “Vasco’s Digipass effective tool against man-in-the-middle attacks."

In its statement, Vasco argues that two-factor authentication makes pfishing “more difficult" because the fraudster “has to concentrate on only one account instead of sending out a 100,000-plus e-mail blast and waiting until its victim, using static passwords, eats the bait." Vasco also says its technology has a “host authentication" mechanism that ensures the user “knows he’s talking to the real bank site. This means the user’s password can’t be misused by a fraudster hiding behind a Web site."

“We disagree with Bruce Schneier on his opinion about two-factor authentication," says a Vasco spokesman.

What about others? If you have a strong two-factor opinion, let me know by writing to emessmer@nww.com.

Back to Security Notes

Comments

Post a comment

Name:


E-mail address:


URL:


Comments:


Remember info?