Tuesday, March 15, 2005
The Failure of Two-Factor?
I think this article by Bruce Schneier may be mis-titled: it should be "The Failure of Understanding of Two-Factor Authentication", because what it is discussing at its core is the fact that two-factor is not the panacea it has been sold as for resolving the problem of inappropriate authentication (where I have access to your account/system under your security context, whether you've allowed me to or not). I simply do not buy that Mr. Schneier would believe that two-factor auth is a failure because it would force hackers to find other avenues of attack: in fact, by many definitions that is a form of success. At times the best we can hope for is to make their job harder, if only to buy ourselves a little time.
Putting the Club on your car doesn't make your car impregnable, it just makes a car thief look at the next car down the block which doesn't have one; sometimes that's all you want (or are willing to spend money for). All we want in this case is that if one of the company executives accesses their web-based email from a Kinko's public workstation with a handy malware keystroke-logger on it, the logger captures information that will be useless for an attacker to subsequently log in to that email account. That's the problem I'm trying to solve with two-factor authentication, and I won't try to solve phishing or social engineering attacks, and I won't even attempt to solve bank account access with it, because that's not what the solution is being designed for.
In a layered security model, and when used with a clear understanding of the scope of the problem it is trying to address, I think two-factor authentication presents a viable and (at least recently) affordable solution to this *specific* problem. It has "failings" only if you try to make it protect the components of the identity transaction that it was never supposed to protect, and for which there are other solutions that, in combination, reduce the total risk to a point where the business benefit is strong enough to make it acceptable.
That last point is one of the keys for the discussion comments here: no transaction of this sort is completely risk-free and secure. However, removing the capability to do business because I am so paranoid about security that I make it impossible to conduct the transaction is a self-induced Denial of Service with 100% risk potential.
Link ¶ 3/15/2005 09:13:00 PM
Putting the Club on your car doesn't make your car impregnable, it just makes a car thief look at the next car down the block which doesn't have one; sometimes that's all you want (or are willing to spend money for). All we want in this case is that if one of the company executives accesses their web-based email from a Kinko's public workstation with a handy malware keystroke-logger on it, the logger captures information that will be useless for an attacker to subsequently log in to that email account. That's the problem I'm trying to solve with two-factor authentication, and I won't try to solve phishing or social engineering attacks, and I won't even attempt to solve bank account access with it, because that's not what the solution is being designed for.
In a layered security model, and when used with a clear understanding of the scope of the problem it is trying to address, I think two-factor authentication presents a viable and (at least recently) affordable solution to this *specific* problem. It has "failings" only if you try to make it protect the components of the identity transaction that it was never supposed to protect, and for which there are other solutions that, in combination, reduce the total risk to a point where the business benefit is strong enough to make it acceptable.
That last point is one of the keys for the discussion comments here: no transaction of this sort is completely risk-free and secure. However, removing the capability to do business because I am so paranoid about security that I make it impossible to conduct the transaction is a self-induced Denial of Service with 100% risk potential.
Link ¶ 3/15/2005 09:13:00 PM
