Cheat Sheet: Two-factor authentication

Two-factor authentication? What's that?
Well that's a question more and more people are asking at the moment as they hear about their bank adopting this relatively new way of authenticating who you are.

But I know who I am...
That's good to hear. And how do you prove who you are when accessing your bank or another secure environment such as your computer on the office network?

Well I use my password.
Which is?

pA55w0rd
Exactly. The problem here is that people aren't the best at choosing or protecting their passwords. Too often they go for easily guessable names or words or something so complicated they end up having to write it down. Instead companies are now looking at solutions such as two-factor authentication which typically involves single-use multi-digit numerical codes to complement the existing security as well as the username or PIN.

Sounds even more complicated...
This is where technology comes in. Many companies developing solutions in this space are providing secure tokens – little gizmos, if you like, no bigger than a key-fob which generate the random numbers for you. They're good for around as long as it take to log-in - say 60 seconds - and then they're done-and-dusted.

What are the benefits?
Single-use random numbers are far more secure than traditional static passwords (which admittedly aren't hard to beat). They work by creating a reliance upon something the user knows, such as their username, and something they have, in this case the six or seven digit number – which is far more reliable than a password written on a Post-it note.

Sounds great...
And many would agree with you – certainly among enterprise, small office and home users. But there are some fierce critics out there when the debate moves on to the banking industry where this is being presented as a bit of a 'silver bullet' for identity theft.

Opposition? Why so?
On one level there is a 'fear of change' which dogs any kind of new service or technology and that is perhaps the least concerning for banks and vendors. But many users also fear, perhaps with some justification, that banks will use this service to further distance themselves from liability in the event of losses.

But won't this method stop losses occurring in the first place?
That's the idea but not everybody is convinced.

Respected security guru Bruce Schneier wrote an essay on the problem which begins positively for advocates of two-factor authentication. "If your password includes a number that changes every minute then it's harder for someone else to intercept," he wrote.

However, Schneier argues that this is merely addressing a problem of at least two decades' standing and not the current issues of identity theft because "the nature of attacks has changed over those two decades".

In what way? Why won't these gizmos keep us safe?
Schneier outlines a 'man in the middle attack' which will simply see the phishers set up dummy websites to intercept single-use passcodes in the same way they used to solicit usernames and passwords. Schneier also argues that attackers will simply lurk on users' machines - accessing via a Trojan (or backdoor vulnerability) - until the user has authenticated and then 'piggyback' into a secure session with that user.

So the criminals just change tactics?
That's certainly the suggestion but it will be more difficult and they will be forced to think beyond engineering our crude passwords out of us. Even if they get hold of a single-use password, time is against them. It is worth noting as well that Schneier does point out that two-factor authentication is more secure than the good old fashion passwords we all know and love.

So it's better...
...but not perfect. Indeed, it's still early days - Lloyds TSB recently became the first UK bank to announce the rollout of two-factor authentication for retail customers. Others such as Coutts already use it for some 'high net-worth' customers but only once it's widespread in the mainstream will we know its true impact and better understand its effect on online banking and customer satisfaction.