Bruce Schneier recently wrote an essay on two-factor authentication. It's generated a bit of a storm, but it seems to be because people didn't read for content.
Two-factor authentication is a way of making passwords more secure. You have your usual password, which should be hard to guess, but it's getting to the point where it doesn't matter anymore. Computers have enough power to guess any reasonable password, and quite a few unreasonable ones. (Though I'm still a bit peeved that ATM PIN codes are limited to four digits for so many systems. It's bad enough that they're all numeric.)
Two-factor authentication means that you have two keys that you need before logging in to a system. You log in with your password, and then you have to feed in a key that changes every time it's used. One approach was a SecureID card, which displayed a number which changed every minute. A random number generator with a unique seed for each customer will generate a nice, hard to predict, string of numbers. The mainframe had a copy of the card (well, more likely, of the equation) and only let the user in if the numbers matched. (Sometimes I got bounced back out because the number changed between the time I typed it in and the time I hit the "enter" key. Oh well. Take II.)
This meant the user had to have physical possession of the card in order to log on to the mainframe.
This solves the problem of losing control of a password. It does not solve more sophisticated attacks, including phishing schemes where the website echoes the password (any and all pieces) to the website being imitated, in effect bypassing the password altogether. (Hence, bypassword.)
It can't.
You can spend as much time, effort, and money as you like on a security approach, but if you're not addressing where the security hole really is, you've wasted all your resources. And indeed, you may well have made things worse, having convinced people that Something Has Been Done, and therefore they need not be as careful as before.
No comments:
Post a Comment