Two-Factor Authentication Could Stem Rising Tide of Identity Theft

By Lisa Vaas  |  Posted 2005-04-15 Print this article Print

Washington panelists tout the value of the small, digital token devices that provide users with a random, six-digit code that changes every 60 seconds.

Two-factor authentication may well be the key to stemming the onslaught of identity theft now plaguing businesses and consumers—if you can talk customers into using it, that is. "Its easy to apply two-factor authentication when you have employees [or a government mandate]," said John Carlson, senior director of BITS, a nonprofit organization of financial institutions that focuses on technology and business issues. "But its a highly different equation when you deal with customers that can choose between different financial institutions." Carlson was part of a panel of vendor, government and business data security experts who convened Friday in Washington at the Center for Strategic and International Studies.
The panel, "Emerging ID Theft Challenges in Cyber-Space: A Discussion of Possible Technology and Policy Solutions," also included Howard Schmidt, former special adviser to the president for cyber-space security; James Lewis, of the Technology Policy Program at the Center for Strategic and International Studies; Joe Raymond, chief architect of Web optimization at E-Trade Financial Corp.; and Art Coviello, president and CEO of RSA Security Inc.
The two-factor authentication to which Carlson referred uses a small, digital token device to provide users with a random, six-digit code that changes every 60 seconds. The user employs this unique code, combined with his or her user ID and password, to access sites such as online banking accounts. Carlson said many representatives of financial institutions are working with regulatory agencies in Washington to assess the effectiveness of identity protection via two-factor authentication, but customer acceptance is the deal-breaker. E-Trades Raymond told a different tale about the technology, however. E-Trade in March announced an optional two-factor security scheme for its U.S.-based retail customers. Upon piloting the two-factor authentication, which will be available sometime this quarter, E-Trade found that customers actually welcomed the more-involved scheme, reflecting a perception that their private data was being more carefully shepherded. "We found that, in a lot of ways, digital security identification enforces the perception we like to put out there," Raymond said. "Almost all customers responded that E-Trade has customers interest in mind." E-Trades program, however, is available only to customers with $50,000 or more in combined E-Trade assets—hardly an all-inclusive solution for the entire population of potential identity-theft victims. A broader solution must include more law enforcement personnel, as opposed to new laws, said Schmidt, former czar of the presidents Cyber-Space Security initiative. He was one of a number of panelists who decried a "patchwork" of proposed legislation thats being flung out in what they portrayed as a knee-jerk response to recent data breaches, including breaches at data brokers ChoicePoint and LexisNexis. For example, Sen. Dianne Feinstein (D.-Calif.) on Monday proposed a toughened-up version of her ID Theft Notification bill that would close loopholes in Californias current notification law, SB 1386. In addition, legislation has been proposed by Sen. Bill Nelson (D-Fla.) and Rep. Edward Markey (D-Mass.) to regulate data brokers. "For the most part, I think that over the past 10 years, weve done a very good job of defining criminal law with regards to cyber-security," Schmidt said. "But we dont have the resources, its just that simple. We have to do what we can to reduce the number of victims, which then gives law enforcement" the ability to tackle a reduced number of identity-theft incidents, he said. Two-factor authentication is a potential solution for reducing the number of victims, Schmidt said, pointing to the security device he sports on a keychain. But the crucial question to answer is if we, as a society, need to consider whether we want to have a necklace of security devices for a chain of unfederated services, such as making retail purchases, accessing banking services, etc., or whether we trust government to aggregate our data in order to issue credentials. Check out eWEEK.coms for the latest database news, reviews and analysis.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel