Is two-factor authentication too little, too late? No!

Two security experts debate whether two-factor authentication can handle today's network attacks.

Every day, two-factor authentication - ATM-style identification combining the use of something you know (a password) with something you have (a token) - proves itself to be an essential part of broad-based information security systems, mitigating multiple threats, and protecting identities and information assets. While never claiming to be information security's silver bullet, strong two-factor authentication plays a crucial role in protecting vital data.

In the fight against Internet crime, the static password is the user's worst enemy. Two-factor authentication eliminates the risk of most phishing attacks, which rely on the mass harvesting of identity and account information for "replay" later. Two-factor authentication also prevents user impersonation through guessed passwords or with passwords harvested from other sites - a prominent issue today as users struggle to manage multiple passwords across various online accounts. To suggest that two-factor authentication is useless because it doesn't directly prevent real-time man-in-the-middle attacks - in which the attacker sets up a fake Web site to which he lures users who then unwittingly enter their personal information - implies there is a fix-all solution that will solve the problem.

Users need a convenient, reliable way of recognizing when it's safe to provide a credential to an application, and of verifying that the application is authentic. Along these lines, RSA Security has been exploring new ways in which the browser and operating system interfaces for user authentication can be strengthened. We are working with other leaders in the industry to raise the standard for authentication interfaces and, in particular, the protocols for authentication exchanges with Web sites. These improvements, along with protections against various forms of malware, will go a long way toward addressing the legitimate concerns raised by man-in-the-middle attacks. More importantly, they will help to ensure ongoing consumer confidence in e-commerce.

Strong two-factor authentication has proven itself to be a highly effective means of protecting corporations and individuals from a multitude of cybercrimes, in both business-to-business and consumer applications. In conjunction with the other developments outlined above, two-factor authentication is more necessary today than ever - the reason why organizations such as the National Institute of Standards and Technology, the Federal Deposit Insurance Corp. and Microsoft have identified it as the way forward. The idea that it does nothing to protect against identity theft is not just incorrect - it's recklessly defeatist. Like a doom-merchant advocating there is no point in locking your front door if you live in a war zone, detractors are missing the obvious point that there are dozens of threats out there - and no one solution will prevent them all.

Let's work together to ensure the promise of trustworthy online commerce - and direct our strongest response at those who are capitalizing on current security weaknesses, rather than those who are investing in fixing them.

Uniejewski is CTO and senior vice president of corporate development at RSA . He can be reached at

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022