Q: What is multifactor authentication?
A: Multifactor authentication uses a combination of two or three different ways to authenticate your identity. The first is what you know-usually a password, but can also include your response to a challenge question, known as Knowledge Based Authentication. The second is what you have. This could be a physical device, for example, a smart card with a chip in it or a hardware token that generates one-time-only passwords. Or it could be some special piece of software installed on your system, though many experts question whether software should count as a second factor. The third is who you are, as indicated by some biometric such as a fingerprint or an iris scan. Almost every multifactor approach uses a password, and then combines this with the second or the third factor or both.
Q: Many European security experts believe that multifactor authentication is essential for securing online consumer applications, but in the United States few banks or other financial institutions use it. Why is this?
A: In Europe the institutional and cultural context is different. Banks were able to issue smart cards [credit cards with embedded computer chips] or other devices to consumers and require their use for the authentication of transactions. One reason there may have been more tolerance for this in Europe is that retail shops there didnt always have access to cheap data lines for online verification of credit card transactions the way they did in the U.S. So naturally there was greater pressure to adopt some kind of offline two-factor solution, such as a device that a retail clerk could use to scan the private code in a smart card and compare it with a PIN typed in by the consumer. Given this context, it was more natural for Europeans to adopt multifactor for consumer Web applications as well.
Q: Do you think American banks and online financial sites will ultimately follow the Europeans in adopting multifactor authentification?
A: Probably not. If the threat model changed dramatically, if there was an exponential explosion in attacks or some devastating new technique, then you might see a shift in attitudes here. But unless and until that happens, the name of the game for online banking and online retail sites in the U.S. will be to do authentication without issuing hardware or software to the consumer. These companies really dont want to be in the business of supporting software or hardware. If the stuff doesnt work or consumers cant figure out how to use it, that creates real problems. So in practice that rules out multifactor in the U.S., except maybe for certain high-value niche applications like high net worth investing or corporate cash management.
Q: Can online applications be made secure without using multifactor authentication?
A: Yes. Actually, the fact that multifactor is usually not an option here in the U.S. has sparked a lot of creative innovation to find solutions that mimic the benefits of multifactor without the constraints. One of the most interesting is called password hardening.