Two-Factor Authentication Could Stem Rising Tide of Identity Theft

Washington panelists tout the value of the small, digital token devices that provide users with a random, six-digit code that changes every 60 seconds.

Two-factor authentication may well be the key to stemming the onslaught of identity theft now plaguing businesses and consumers—if you can talk customers into using it, that is.

"Its easy to apply two-factor authentication when you have employees [or a government mandate]," said John Carlson, senior director of BITS, a nonprofit organization of financial institutions that focuses on technology and business issues. "But its a highly different equation when you deal with customers that can choose between different financial institutions."

Carlson was part of a panel of vendor, government and business data security experts who convened Friday in Washington at the Center for Strategic and International Studies.

The panel, "Emerging ID Theft Challenges in Cyber-Space: A Discussion of Possible Technology and Policy Solutions," also included Howard Schmidt, former special adviser to the president for cyber-space security; James Lewis, of the Technology Policy Program at the Center for Strategic and International Studies; Joe Raymond, chief architect of Web optimization at E-Trade Financial Corp.; and Art Coviello, president and CEO of RSA Security Inc.

The two-factor authentication to which Carlson referred uses a small, digital token device to provide users with a random, six-digit code that changes every 60 seconds. The user employs this unique code, combined with his or her user ID and password, to access sites such as online banking accounts.

Carlson said many representatives of financial institutions are working with regulatory agencies in Washington to assess the effectiveness of identity protection via two-factor authentication, but customer acceptance is the deal-breaker.

E-Trades Raymond told a different tale about the technology, however. E-Trade in March announced an optional two-factor security scheme for its U.S.-based retail customers.

Upon piloting the two-factor authentication, which will be available sometime this quarter, E-Trade found that customers actually welcomed the more-involved scheme, reflecting a perception that their private data was being more carefully shepherded. "We found that, in a lot of ways, digital security identification enforces the perception we like to put out there," Raymond said. "Almost all customers responded that E-Trade has customers interest in mind."

E-Trades program, however, is available only to customers with $50,000 or more in combined E-Trade assets—hardly an all-inclusive solution for the entire population of potential identity-theft victims.

A broader solution must include more law enforcement personnel, as opposed to new laws, said Schmidt, former czar of the presidents Cyber-Space Security initiative. He was one of a number of panelists who decried a "patchwork" of proposed legislation thats being flung out in what they portrayed as a knee-jerk response to recent data breaches, including breaches at data brokers ChoicePoint and LexisNexis.

For example, Sen. Dianne Feinstein (D.-Calif.) on Monday proposed a toughened-up version of her ID Theft Notification bill that would close loopholes in Californias current notification law, SB 1386.

In addition, legislation has been proposed by Sen. Bill Nelson (D-Fla.) and Rep. Edward Markey (D-Mass.) to regulate data brokers.

"For the most part, I think that over the past 10 years, weve done a very good job of defining criminal law with regards to cyber-security," Schmidt said. "But we dont have the resources, its just that simple. We have to do what we can to reduce the number of victims, which then gives law enforcement" the ability to tackle a reduced number of identity-theft incidents, he said.

Two-factor authentication is a potential solution for reducing the number of victims, Schmidt said, pointing to the security device he sports on a keychain. But the crucial question to answer is if we, as a society, need to consider whether we want to have a necklace of security devices for a chain of unfederated services, such as making retail purchases, accessing banking services, etc., or whether we trust government to aggregate our data in order to issue credentials.


Check out eWEEK.coms for the latest database news, reviews and analysis.