End the Password #3 Multi-factor authentication.
[stextbox id=”black”]This is third in a series of blogs ‘Kill the password. NOW!’ documenting the “war to exterminate the password.” This, the first post regarding multi-factor authentication. What it does, how it works and thoughts on why it is being offered as password replacement alternative.[/stextbox]
Multi-Factor authentication sucks.
Multi-factor authentication may possibly offer the best alternative to authentication of a password from a security perspective but it simply has too many steps for the user. Two step , multi-factor, redundant authentication, call it what you like, is being offered as an alternative to single password. But is it better? Yahoo recently announced their one-time-use, on-demand or disposable password. But does it eliminate the password? Is it better?
A multi-factor authentication is similar to having a bank asking for two forms of ID. In general it relies on a Username & Password and another backup such as a text message with a code to a number on file.
Multiple step authentication is far more secure than a single step Username and Password but it doesn’t eliminate the password. It is a backup process which complicates the process. Consider that you may have changed phone numbers. Users must then go to every site where they have dual authentication and update your records individually.
Two step authentication is a major inconvenience if you must authenticate every login. It could be especially problematic when your phone breaks or if you are in an area where you don’t have reliable cell phone coverage. Because the two step process still uses your stored Name and Password as reference, it is the site’s firewall that protects you and your credentials, not your two step authentication. Your vulnerability is subject to the server and the security of enterprise host.
Additionally two step processes, such as Microsoft’s store, may require you to remember a user name and password for Live and another for the applications and a third email and password for the authentication. Remembering which email you used to register on each site, particularity when you have multiple emails can slow the process or even prevent it if an unused email address has expired.
It will be interesting to see how useful two step process really is, especially as it relies heavily on a user having their phone near them to access emails. You might also ask ‘how do you gain access to your account if you change your phone number or have your phone stolen or broken?’
Identity thieves using standard credentials pilfered from another site are often successful because few sites employ two step authentication. The sites which do engage them will do so only when something suspicious happens. When a hacker has your Username and Password they often enter unopposed.
The question of security vs. convenience relies on the ability of the host to protect its data. Clearly the enterprise, and particularly those with financial data, are under attack. Thus when a host is compromised, are both factors equally compromised? Can a hacker change the phone number or email address to verify a factor?
The point is that two step authentication is more secure than single step password only, but it isn’t an elimination of the password, rather it is a complication or an additional step in the process.
The issue isn’t the strength of the system or method. The problem is what will you do when a enterprise like Sony, Chase, Home Depot, PayPal, Ebay, and others is compromised. What do you do when Hackers have compromised your factors?
The weakest link isn’t the methds, it is the site that uses them for verification.
The only solution to ease of use and bulletproof security is the complete elimination of the password with a better system. No passwords at all eliminates the problem.
Paul Swengler is the CEO and principal of Bulletproof ID a password free login. He can be reached through www.BPIDsecurity.com