The future is another (virtual) country

[Dave Birch] In many countries the banks have begun to issue 2FA tokens of one form or another. In some places, such as Singapore, 2FA is already mandatory for home banking, and everyone is used to carrying around their token. In many companies, people use 2FA tokens of one form or another for intranet and VPN access. Authentication is improved tremendously, hurrah. But the “necklace problem” looms. The necklace problem is that if you need half-a-dozen different tokens to log in to your different bank accounts and corporate systems, not to mention government services, then you will have to carry them around your neck or risk not having the right one by your side when you need to do something. Oddly, despite the existence of (for sake of argument) SAML or OpenID, none of the tokens that I have in my possession are in the least bit interoperable. My Barclays token doesn’t even help me log in to another U.K. bank, let alone the U.K. government or a corporate site.

There is a problem here, though, and that is that the bank 2FA schemes and devices are not open in any way. This is bad thing, and not in the sense that I think they will be subject to the hacking of proprietary algorithms (see, for example, MiFare) but because no-one else can use them, even if they wanted to. Since I work for a company that banks with Barclays, surely they could sell us a service whereby we could use Barclays PINsentry devices to log in to our corporate network (for applications that don’t need particularly high levels of security). If banks have to spend money fixing the authentication problem for themselves then, as I have droned on about endlessly, why don’t they switch authentication from being a cost centre to a profit centre? Make it a service that other people will buy.
When I made the offhand prediction that people would begin to use 2FA in virtual worlds before they use it for actual banking, it was because of the observation that if hackers steal my money then Barclays will give it back to me but if hackers steal my +5 Vorpal Sword (“The Equalizer”) Blizzard won’t. Therefore, logically, it makes more sense for me to invest time and effort in 2FA log in for World of Warcraft than for World of Barclays. All of this goes to say why I was so interested to see the announcement from Blizzard that they will begin offering 2FA for World of Warcraft using a $6.50 device called the Blizzard Authenticator…

The Blizzard Authenticator is an optional tool that offers World of Warcraft players an additional layer of security to help prevent unauthorized account access. The Authenticator itself is a physical “token” device that fits easily on a keyring.

[From Blizzard Support]

I’ve no idea whether this particular product will succeed — speaking personally, I would much rather use a token like this for 2FA OpenID authentication rather than “silo” 2FA authentication, so that I can use the same token to log in to all sorts of places — but it’s worth studying. Incidentally, in these modern times it seems a little odd to be issuing custom security hardware to people who already have a mobile phone, so I would expect to see the next generation 2FA vanish into mobile phones as well as using something like OpenID. Oh, wait a minute…

JanRain and Positive Networks have developed a phone-based, two-factor authentication solution specifically designed to support users of myOpenID.

[From JanRain » Blog Archive » Phone-based Two-Factor Authentication Now Available for OpenID]

You can see how this might work in the future. I go to log in to my bank / local council / VPN and I’m presented with an OpenID screen. I enter my mobile phone number, which is my operator-based OpenID. A message pops up on my phone, I authenticate with a password and off we go. No necklace, no proprietary devices, no new protocols to use. Most people wouldn’t even be aware that their mobile phone number is actually being used as an OpenID in this scenario, so there’d be no need to explain it to them. Another benefit!

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]