It's common sense that moving from single- to two-factor security will cut down on all levels of online theft. In some cases, however, such solutions have proven to not be user-friendly. For instance, an often used two-factor, biometrics -- use of some element of the person's physical being to prove who he or she is -- can involve retinal scans and other approaches that make folks uncomfortable. In other cases, two-factor is stymied by people have trouble remembering personal identification numbers (PINs) and passwords. Finally, these technologies can be expensive.
The bottom line is that simplification will make two-factor identification more viable. An English company has come up with a clever way to accomplish this. ITPro explains that the approach is driven by the user. He or she chooses a particular shape on a grid, such as a square. Another initiative to simplify two-factor authentication also is coming out of the U.K. HSBC, according to ComputerWeekly, determined that current two-factor systems are not customer-friendly enough. The answer is simplicity itself: When a person seeks to make a payment, a pop-up with a PIN number appears and asks the consumer for his or her preferred telephone number. The bank then calls and asks for the PIN. As of early September, the system was yet to be tested with consumers, the story says.
A system described by eWeek columnist Steven J. Vaughan-Nichols is similar. He begins with a restatement of the common wisdom that two-factor authentication is difficult to implement and expensive. He then goes through two scenarios -- two factor authentication using Active Director and NT Domains in a mixed mode local-area network (LAN), and combining two-factor with single sign-on (SSO) -- and says both are problematic. (The first approach is "ugly" and "a train wreck" and the other "can be a real pain," he says.) Even after they are implemented, he says, users can be just as confounding.
Vaughan-Nichols says that the eWeek lab director, his staff and end users all "loved" Positive Networks' PhoneFactor. The system is free -- so the CFO will love it as well -- and works with any Remote Authentication Dial-In User Service (RADIUS)-enabled device. When a user tries to log in, PhoneFactor simply calls them. The user hits the pound button and is allowed access to the application. It is easy to switch the functionality to another phone. PhoneFactor makes its money from support, customization, better integration and other extra features, the columnist says.
This is a very comprehensive and well done look at two-factor authentication at Masabists. The blogger begins by outlining why such technology is needed. He then describes some of the most common attacks two-factor can help to stop. The writer describes some of the problems with current technology, such as the fact that hardware-based key fobs and readers tend to get lost or destroyed before their expected lifespan ends. To the writer's credit, there is a clear demarcation in the piece between the vendor-neutral and product pitch elements.
These or other approaches must be working, at least to some extent. vnunet.com reports that Apacs, a banking body in the U.K., says that fraud losses are down 67 percent. Among the measures that the story attributes with the drop is the use of two-factor identification.