[Dave Birch] I know it’s rather trite to point this out, but moving to stronger authentication of digital identities does not by itself automatically mean more "security" unless the human factors are taken care of.  Here’s a post I came across while looking for something else to do with a project I’m working on.  It comes from inside a large banking organisation that has adopted two-factor authentication for remote access to corporate resources — surely a sensible policy to protect shareholders’ investments.  The person in charge of this shift writes to the staff:

I know there have been a lot of complaints about the new RSA tokens that we’ve issued, in that it’s a bit of an inconvenience to carry your laptop AND an RSA token on your key ring. Here’s a solution that will help you keep them together. Get a bigger key ring (we’ve got a handful, first come first serve) and put the token on  the key ring using the small diameter ring on the token. Insert the laptop’s power cord through ring, make a half hitch loop on the cord, fastening the bigger ring to the cord.

In other words, tether the token to the access device that’s at risk.

Technorati Tags: , ,

The guy even provides a useful picture to show bankers how to ensure that if they lose their laptop then vital corporate information will go with it.  And I’d bet a pound to a penny that half of them have stuck their username and password on a post-it and sellotaped it to the laptop as well.

Does this mean that two-factor token-based authentication can never work?  Of course not.  But what it does mean is that if we don’t find ways to make two-factor authentication go with the grain for the users (perhaps by making the token something that they always have with them such as a mobile phone or a contactless card in their wallets) then they will always find ways to subvert it, leaving the impression of greater security but no actual greater security.

My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]

1 comment

  1. Dave, fyi – software and mobile phone tokens are available today and they do make life easier for some people. Others prefer physical tokens for various reasons.

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights