Need for Proven, Two-Factor Authentication Growing Easier

Carl Weinschenk

It's common sense that moving from single- to two-factor security will cut down on all levels of online theft. In some cases, however, such solutions have proven to not be user-friendly. For instance, an often used two-factor, biometrics -- use of some element of the person's physical being to prove who he or she is -- can involve retinal scans and other approaches that make folks uncomfortable. In other cases, two-factor is stymied by people have trouble remembering personal identification numbers (PINs) and passwords. Finally, these technologies can be expensive.


The bottom line is that simplification will make two-factor identification more viable. An English company has come up with a clever way to accomplish this. ITPro explains that the approach is driven by the user. He or she chooses a particular shape on a grid, such as a square. Another initiative to simplify two-factor authentication also is coming out of the U.K. HSBC, according to ComputerWeekly, determined that current two-factor systems are not customer-friendly enough. The answer is simplicity itself: When a person seeks to make a payment, a pop-up with a PIN number appears and asks the consumer for his or her preferred telephone number. The bank then calls and asks for the PIN. As of early September, the system was yet to be tested with consumers, the story says.


A system described by eWeek columnist Steven J. Vaughan-Nichols is similar. He begins with a restatement of the common wisdom that two-factor authentication is difficult to implement and expensive. He then goes through two scenarios -- two factor authentication using Active Director and NT Domains in a mixed mode local-area network (LAN), and combining two-factor with single sign-on (SSO) -- and says both are problematic. (The first approach is "ugly" and "a train wreck" and the other "can be a real pain," he says.) Even after they are implemented, he says, users can be just as confounding.


Vaughan-Nichols says that the eWeek lab director, his staff and end users all "loved" Positive Networks' PhoneFactor. The system is free -- so the CFO will love it as well -- and works with any Remote Authentication Dial-In User Service (RADIUS)-enabled device. When a user tries to log in, PhoneFactor simply calls them. The user hits the pound button and is allowed access to the application. It is easy to switch the functionality to another phone. PhoneFactor makes its money from support, customization, better integration and other extra features, the columnist says.


This is a very comprehensive and well done look at two-factor authentication at Masabists. The blogger begins by outlining why such technology is needed. He then describes some of the most common attacks two-factor can help to stop. The writer describes some of the problems with current technology, such as the fact that hardware-based key fobs and readers tend to get lost or destroyed before their expected lifespan ends. To the writer's credit, there is a clear demarcation in the piece between the vendor-neutral and product pitch elements.


These or other approaches must be working, at least to some extent. vnunet.com reports that Apacs, a banking body in the U.K., says that fraud losses are down 67 percent. Among the measures that the story attributes with the drop is the use of two-factor identification.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Oct 10, 2007 3:39 PM Nick Collin Nick Collin  says:
Carl:I still think remote chip authentication (promoted as CAP by MasterCard and DPA by Visa) is the best way forward. You insert your chip payment card (factor 1) in a simple handheld reader (factor 2), enter your PIN and a one-time-password is displayed which you use to authenticate yourslef over any remote channel. This solution is already being rolled out widely for secure e-banking, and can be extended to secure e-commerce using the 3D Secure protocol (MasterCard SecureCode or Visa VbV). In other words the infrastructure is all there.Rgds, Nick Collin Reply
Dec 5, 2007 5:13 PM Chris Hogan Chris Hogan  says:
Frankly any validation process which requires a physical device to authenticate access to the Internet is rubbish.There are sites out there already telling you how to hack a PIN Sentry, or how it might be abused. What if you lose it, break it, have it stolen? I can't see Paypal issuing these can you? Reply
Apr 11, 2008 7:20 PM Justin Justin  says:
Two Factor Authentication is becoming easier to understand and over time, despite a few pitfalls, the technology has proven itself. This in turn makes it easier for business owners to open up their pocketbooks and adopt this type of security. With a number of banks and even PayPal and Microsoft adopting TFA eventually everyone else will follow suit. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.