Bruce Schneier, a highly respected security expert, recently wrote an essay titled "The Failure of Two-Factor Authentication." Schneiers article has stimulated a lively debate in the banking IT security community. Although Schneier raises valid issues that are of serious concern to my company customers, I wouldnt characterize two-factor authentication as a failure.
Traditional fixed passwords represent a serious, growing vulnerability for many organizations because they can be stolen easily and used repeatedly. Two-factor authentication is far more secure than traditional passwords because it requires two factors: typically a PIN and a device such as a hardware token, which together generate a unique one-time-only passcode. This foils password theft because, as Schneier rightly states, "An intercepted password wont be good the next time its needed." Thousands of security-conscious companies and government agencies have been using two-factor authentication successfully for almost two decades to thwart password thieves.
We agree with Schneier that no security system is foolproof. He said two-factor authentication may still be vulnerable to man-in-the-middle attacks or Trojan attacks, but most of todays phishing scams prey on easy targets, with mass attacks designed to harvest many user names and passwords. Raising the security bar with two-factor authentication will likely cause attackers to look for softer targets.
No security tool eliminates all vulnerabilities, and organizations must continue deploying multiple solutions against a range of threats. Nothing can replace user education. Just as password policies can be undermined by a simple Post-it Note, users must be aware of the risks of being careless with identity credentials. Most people wouldnt give their ATM PIN to a stranger; the same mentality must apply to computer security.
Two-factor authentication will play a critical, expanding role in cyber-security. Large enterprises will continue to use two-factor authentication as they allow remote access to networks and applications. Although we believe two-factor authentication coupled with user education is integral to identity solutions for consumer markets, we are focusing R&D on new technologies that can guard connections and validate transactions.
Every security solution has weaknesses, but that shouldnt be used as an excuse for not deploying the best security solutions available. Adopting two-factor authentication and educating users to never provide passcodes via e-mail would go a long way to mitigating phishing attacks. As a recent report by industry analyst Forrester Research concluded, "Although its not a panacea to thwart identity theft and online fraud, strong [two-factor] authentication is the best solution available today."
John McNulty is CEO of Secure Computing Corp., a vendor of security and anti-spam products, including two-factor authentication products. Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to firstname.lastname@example.org.