[Dave Birch] 2FA is clearly important. But what kind of 2FA? At the moment, the "something you know" plus "something you have" version is in vogue, and a great many organisations have been rolling out tokens of one form or another. In the U.K., Barclays (to name but one) have already rolled-out 2FA to the mass market:

 

Gemalto announced it has passed the 1 million mark for Barclays customers using PINsentry, its cryptographic smart card reader. The bank started deploying its authentication program in July 2007 and since then not one PINsentry online customer has suffered fraud.

[From 1 million Barclays customer using smart card reader : SecureID News]

As I’ve said before, I’m a happy PINsentry customer, even though I know it doesn’t provide total security. But it’s a bit limited. I can’t use it to log in to anything else: I’d much rather that Barclays offered a 2FA OpenID login using the PINsentry and then I could use my Barclays OpenID to log in not only to the bank but to any other sites that needed that kind of security (eg, the government). Simon Willison’s excellent OpenID blogged alerted me to the fact that other people are already thinking in that direction.

 

Microsoft are accepting OpenID for their new HealthVault site, but with a catch: you can only use OpenIDs from two providers: Trustbearer (who offer two-factor authentication using a hardware token) and Verisign.

[From Simon Willison’s Weblog]

So OpenID/2FA is not only feasible, it’s a good idea. But we don’t want to end up with a 2FA necklace — with the tokens from half-a-dozen banks plus eBay plus our corporate networks plus plus plus — that we have to carry with us at all times and this could happen if banks and other service providers don’t accept each other’s OpenIDs in a rich enough way.

One way to do away with the necklace, of course, would be to use a device that everyone already has: the mobile phone. The addition of a proximity interface means that the phone can interface to cards just as the PINsentry does, so the PINsentry just becomes a bit of software in the phone (you can’t do this at the moment, of course, because the mobile phone keypad is not an approved PIN entry device, but it will be possible in the future with more security in the handset. An obvious alternative would be to use the mobile phone for a different 2FA login to OpenID (or whatever). This seems like a promising way forward, particularly if the SIMs have end-to-end cryptography on board. But would such a 2FA be enough? What about adding another hardware factor to make a kind of 2.5FA, as they have done over at Cell-cash:

 

Cell-cash requires two elements – a cellphone and a special bluetooth security dongle, carried separately from the phone… losing the phone doesn’t compromise security in any way; there is no sensitive information stored there. And forgetting the dongle at home means that it can’t be used in any way, since it’s linked to one specific phone.

[From Stellar Startups: E-wallet security, dongle style | Jerusalem Post]

Personally, the chances of me remembering both the phone and the dongle when I want to make a transaction might be somewhat limited, but I can see that it would be attractive to some people. Does "phone + dongle + PIN" improve much on "phone + PIN" ? I’m not sure that it does (because I don’t understand the arithmetic of this space: 2FA+2FA doesn’t equal 4FA, does it?), but I’ll be curious to see how it is used in practice: Perhaps it will make consumers feel more secure, which as we all know is as important as actually making them more secure.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto

1 comment

  1. The sooner we start getting managed CardSpace providers that consume trusted OpenID and do secure token exchange, the better. I think it needs at least one reputable provider to start people taking services seriously.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: