The Need for More Complicated Authentication Methods

Sue Marquette Poremba

Yesterday, I wrote that, in my opinion, we reached the saturation point in what we can remember when it comes to passwords. In response, I got an email telling me about mSeven Software's survey on password management habits, which indicated that I was pretty spot on about my assessment. The survey revealed that 70 percent of users rely on their brain power to retain all the passwords they must use, while 75 percent indicate they access at least 10 secured websites.

Count me in that 75 percent who access at least 10 websites that require a password (it’s a lot more than 10, I can assure you). If the average person is like me, for the sites I access every day or at least on a regular basis, the passwords fly off my fingers without much thought. But sites that I visit once a month or less? I can totally understand why people turn to a simple password or repeat passwords over a number of sites — I used to do it myself. It is just a lot easier for an overtaxed brain.

In fact, just thinking about all of these passwords is giving me a headache. It’s why I think that Dropbox is on the right path with two-factor authentication. As Peter Tapling, founder and president, Authentify, told me, the problem with a password-based system is that a password is a single-authentication factor. It is something that can be guessed or electronically cracked. You can make passwords stronger, but most exploits today are a result of intercepting the password.

Out-of-band authentication using a two-factor system might be the best bet right now for network security. Out-of-band authentication refers to authenticating a user (or a communication), via a separate communication channel from the channel being used for the primary contact, Tapling said, and it is a system that has its origins back in ancient times. He explained:

A simple example, in the age of the Roman Empire, military messages were encoded and sent by courier.  The code with which to decipher the message was sent by separate courier over a separate route.  If the courier with the message was captured, the message was of no value because the courier didn’t have the ability to decipher it.  If the courier with the code was captured, they didn’t have the message.  You needed BOTH couriers to arrive by separate routes for the message to be used.

My bank has a variation of this when it is assigning you a login and initial password for its online banking system, with the login user ID coming in one mailing and the password arriving in a separate mail several days later. It’s not necessarily convenient but it is more secure. Now, obviously, this system isn’t going to work for a site that you need to access on a regular basis. You can’t stop work until the courier shows up with the second authentication code.

Authentify relies on telephone messages that are synchronized to an online user’s session. Tapling told me:

The user must provide information to both the phone AND online session.  The receipt of the appropriate information is validated at secure servers in the background.  The use of the telephone as the out-of-band channel is effective because unlike Internet browser sessions, it is difficult to automate the attacks against a user’s telephone.

There are other options for the out-of-band, two-factor authentication, of course, including the option that I think is going to be commonplace within the decade: biometrics.

Is all of this overkill in order to access every site you visit? Probably. But for truly secure sites online or to access secure documents within the network, something more is definitely needed. The password as we know it today is too vulnerable.

Add Comment      Leave a comment on this blog post
Dec 7, 2012 4:44 AM Robert Robert  says:
I think it’s correct to assume that we’ve moved way past the stage when single factor authentication or the username-password verification system was enough. Online fraudsters are becoming bolder and more sophisticated by the day and it’s not difficult for them to crack passwords any more. Add to that typical password habits of users, their job only becomes easier. Safe to say, two-factor authentication is the need of the hour for online merchants as well as users. For online merchants, it offers protection against fraudulent transactions and for users, it means safeguarding against identity theft! Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.