Last issue we talked about two-factor authentication and I described such a scheme used by a Swedish bank (see link below). The bank requires a user to enter a unique identifier - a national ID number, similar to a U.S. Social Security number, a four digit PIN, and a one-time code that's revealed by scratching off the covering on one cell of a 50-cell card (similar to a scratch-off lottery ticket). I then posed the question: "Is that secure enough?" which can only, I believe, can be answered: "It depends."
You may recall that not too many weeks ago I prattled on about the themes of "risk assessment" and "risk mitigation" (http://www.nwfusion.com/newsletters/dir/2004/0426id1.html). In that issue, we looked at determining the odds that some "risk" would occur. But the use of multi-factor authorization requires that we expand the risk equation.
In the case of the Swedish bank, the scratch-off card has a number of costs associated with it - printing the card and mailing it to the user as well as administratively associating the codes from the card with that user's identification number.
Much of those processes can be automated, so the actual cost might be just a few dollars. The cost to the user is the need to remember where the card is, and protect it from theft and lost. That's harder to quantify monetarily, but shouldn't be more than a few dollars, also.
Further, though, we need to add the cost of de-certifying and replacing the card should it be lost or stolen. One more expense is a shared cost to advertise and market the scheme as a better, more secure, way to do online banking - especially when compared to banks that only offer single factor (password alone) authentication.
All told, it might cost between $5 and $10 per user to implement this system and $2 to $5 per user per year to keep it going. Over five years that might amount to $20 or $30 dollars per user. To assess the value of the scheme, we must compare that cost to the value of the assets protected by the scheme. In this case, it's one or more bank accounts per user which could be anywhere from a few dollars up to hundreds of thousands of dollars. Twenty-dollars to protect $100,000 is a good deal, but $20 to protect $50?
Unlike the users on your network, the bank's customers can choose to take their business to another financial institution. If another bank is charging $5-$6 per year less in fees (and it's the users who will have to pay for the authentication scheme's costs), then people with fewer assets to protect would be sorely tempted to move their accounts, absent other considerations like convenience, location, etc.
The bank could mitigate this by amortizing the costs on a percentage basis across accounts - people with a $50 balance pay a nickel while those with a $50,000 balance pay $50. That, in turn, could lead to a loss of big accounts (and an increase in small accounts) for the bank, which would increase their administrative costs for all accounts. Seems like a problem with no end in sight, doesn't it?
I don't have the solution to this question; I'll leave that for those security people whose specialty is risk assessment (and there are such people). I only want to leave you with the thought that authentication schemes have many associated costs and they all need to be taken into account early in the planning stages.