Ryan Singel from Wired News:: writes a fair analysis and roundup of technologies represented at the recent RSA security conference. Even though the term "two factor" authentication has been circulating the industry in application to minimum security products like Passmark it continues to amaze me that no one has stopped to think that displaying a graphic on a web page is really not a legitimate second factor to a username and password.
Also the comment repeated in the article that PGP''s Callas' "likes PassMark Security's solution, which examines the device a user logs in from, looking for a number of factors including IP address and a secure cookie or Flash object the bank has previously stored on the machine".
The technology is clearly not a legitimate two way strong authentication system worthy of being termed a "second factor". It's more like one-and-a-half-factors which will get banks and consumers in hot water sooner than later.
The article went on to point out that dongles, smart cards and SMS based one time passwords are gaining ground, that all of them suffer from long and expensive implimentation cycles and significant per consumer costs. As the inventor of machine authentication I am biased but the point is clear, something easier to impliment than adding a piece of hardware or a smart card to every PC and stronger than a browser graphic display is needed to help protect bankers of the future.
Also the comment repeated in the article that PGP''s Callas' "likes PassMark Security's solution, which examines the device a user logs in from, looking for a number of factors including IP address and a secure cookie or Flash object the bank has previously stored on the machine".
The technology is clearly not a legitimate two way strong authentication system worthy of being termed a "second factor". It's more like one-and-a-half-factors which will get banks and consumers in hot water sooner than later.
The article went on to point out that dongles, smart cards and SMS based one time passwords are gaining ground, that all of them suffer from long and expensive implimentation cycles and significant per consumer costs. As the inventor of machine authentication I am biased but the point is clear, something easier to impliment than adding a piece of hardware or a smart card to every PC and stronger than a browser graphic display is needed to help protect bankers of the future.
Comments
Post a Comment
Please feel free to contribute. Comments are moderated for fairness and language.