A two-factor paradox

Quick lesson in authentication (often abbreviated as AuthN), which is the process of identifying yourself to a system such that it “lets you in”.  There are three common ways to prove that you are who you say you are:

  1. What you know – using your username and password is the most common example.  Most password policies are pretty lame, but it’s cheap to implement this, so it won’t be changed until the frequency of identity theft and/or associated costs reach a tipping point.
  2. What you have – this used to be a smart-card or some other device that you either presented to a reader, or entered a matching code into a system.  Now since everybody has a smartphone, the easy solution here is to SMS your smart phone or have some other validation appear on that device.  This is what Google does with it’s two-factor solution.  Some banks do this with “You’ve used a new computer, please answer this ridiculous security question”.  That presents the illusion of security with questions and answers that you can pretty quickly gather from Facebook, or worse yet are questions that don’t have a clear answer (and are none of the bank’s business, frankly).  If my bank would call my phone and have me recite something into the phone, I’d be a thousand times happier than trying to periodically remember my favorite movie.  Do normal people actually have a single, favorite movie?  Is this not the dumbest question ever?
  3. What you are – often referred to as biometrics.  Nearly every device that I use has a camera, so if an authentication routine would simply turn on my camera and have me look left, right, then left again, you could be pretty sure that it was me.  A cheaper solution that would also work reasonably well is to analyze my typing pattern.  I type certain patterns of letters at a very predictable rate.  This would be insanely easy to implement and would beautifully compliment #1 above.  And the other easy, and pervasive option, is my voice.  Yes it changes occasionally if I’m sick, but you can also implement something to have me read something or speak something into my phone without too much heartache.

The point of my post today though is to talk about scenario #2 above – what you have.  I encountered a situation where I installed an app on my iPhone, but the two-factor authentication required not just my password, but to text THAT SAME SMARTPHONE.  It seems that there is an opportunity to identify if you are running on the two-factor device, and just accept the fact that you have already satisfied that authentication requirement.

And then maybe you should turn on the camera for just a few seconds to make sure that it’s really me.

It’s one of those areas where you have consumer behavior on one side of the equation, and infrastructure investment on the other.  The will is equal.  So whomever can either scare enough consumers to pay a higher price, or come out with a device that is as cheap as a password but just as effective, will will the next battle in consumer security.  Coming up the backside is Lifelock, taking the pound of cure versus the oz. of prevention approach.

 

1 thought on “A two-factor paradox”

  1. Pingback: Password++ ← David Pinkus

Comments are closed.

Scroll to Top