[Dave Birch] In many countries the banks have begun to issue 2FA tokens of one form or another. In some places, such as Singapore, 2FA is already mandatory for home banking, and everyone is used to carrying around their token. In many companies, people use 2FA tokens of one form or another for intranet and VPN access. Authentication is improved tremendously, hurrah. But the “necklace problem” looms. The necklace problem is that if you need half-a-dozen different tokens to log in to your different bank accounts and corporate systems, not to mention government services, then you will have to carry them around your neck or risk not having the right one by your side when you need to do something. Oddly, despite the existence of (for sake of argument) SAML or OpenID, none of the tokens that I have in my possession are in the least bit interoperable. My Barclays token doesn’t even help me log in to another U.K. bank, let alone the U.K. government or a corporate site.


There is a problem here, though, and that is that the bank 2FA schemes and devices are not open in any way. This is bad thing, and not in the sense that I think they will be subject to the hacking of proprietary algorithms (see, for example, MiFare) but because no-one else can use them, even if they wanted to. Since I work for a company that banks with Barclays, surely they could sell us a service whereby we could use Barclays PINsentry devices to log in to our corporate network (for applications that don’t need particularly high levels of security). If banks have to spend money fixing the authentication problem for themselves then, as I have droned on about endlessly, why don’t they switch authentication from being a cost centre to a profit centre? Make it a service that other people will buy.
When I made the offhand prediction that people would begin to use 2FA in virtual worlds before they use it for actual banking, it was because of the observation that if hackers steal my money then Barclays will give it back to me but if hackers steal my +5 Vorpal Sword (“The Equalizer”) Blizzard won’t. Therefore, logically, it makes more sense for me to invest time and effort in 2FA log in for World of Warcraft than for World of Barclays. All of this goes to say why I was so interested to see the announcement from Blizzard that they will begin offering 2FA for World of Warcraft using a $6.50 device called the Blizzard Authenticator…

The Blizzard Authenticator is an optional tool that offers World of Warcraft players an additional layer of security to help prevent unauthorized account access. The Authenticator itself is a physical “token” device that fits easily on a keyring.

[From Blizzard Support]

I’ve no idea whether this particular product will succeed — speaking personally, I would much rather use a token like this for 2FA OpenID authentication rather than “silo” 2FA authentication, so that I can use the same token to log in to all sorts of places — but it’s worth studying. Incidentally, in these modern times it seems a little odd to be issuing custom security hardware to people who already have a mobile phone, so I would expect to see the next generation 2FA vanish into mobile phones as well as using something like OpenID. Oh, wait a minute…

JanRain and Positive Networks have developed a phone-based, two-factor authentication solution specifically designed to support users of myOpenID.

[From JanRain » Blog Archive » Phone-based Two-Factor Authentication Now Available for OpenID]

You can see how this might work in the future. I go to log in to my bank / local council / VPN and I’m presented with an OpenID screen. I enter my mobile phone number, which is my operator-based OpenID. A message pops up on my phone, I authenticate with a password and off we go. No necklace, no proprietary devices, no new protocols to use. Most people wouldn’t even be aware that their mobile phone number is actually being used as an OpenID in this scenario, so there’d be no need to explain it to them. Another benefit!

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

3 comments

  1. Must put my cards on the table here and say that I am a VeriSign employee. The last post is right in that our VIP network does do what you are suggesting Dave and for those reading this in the UK, the first two customers (a financial orgainisation and an ecommerce site) will be live in November of this year.
    The “Shared Authentication network” is already live across 32 companies around the world, but it really is a country by country rollout so I would expect to see shortly other companies come on board in the UK in a similar fashion that we have seen in other countries where the network is established.
    Thanks
    Mike
    [Dave Birch] Thanks for that Mike.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: