I know there have been a lot of complaints about the new RSA tokens that we’ve issued, in that it’s a bit of an inconvenience to carry your laptop AND an RSA token on your key ring. Here’s a solution that will help you keep them together. Get a bigger key ring (we’ve got a handful, first come first serve) and put the token on the key ring using the small diameter ring on the token. Insert the laptop’s power cord through ring, make a half hitch loop on the cord, fastening the bigger ring to the cord.
In other words, tether the token to the access device that’s at risk.
The guy even provides a useful picture to show bankers how to ensure that if they lose their laptop then vital corporate information will go with it. And I’d bet a pound to a penny that half of them have stuck their username and password on a post-it and sellotaped it to the laptop as well.
Does this mean that two-factor token-based authentication can never work? Of course not. But what it does mean is that if we don’t find ways to make two-factor authentication go with the grain for the users (perhaps by making the token something that they always have with them such as a mobile phone or a contactless card in their wallets) then they will always find ways to subvert it, leaving the impression of greater security but no actual greater security.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]