I've been noticing a trend in the market towards acceptance of phones, particularly cell phones, as a mechanism for enforcing multi-factor authentication. While I applaud the attempt to make multi-factor authentication more ubiquitous by tying it to an already-prevalent device, I am worried.
Basically, the way it works is that you input your phone number into your profile at the online service you're logging into - be it a remote desktop product, your bank, or some other system. Then, when you hit the login page, you enter your username and password, and the system sends a message to your cell with a One Time Password (OTP), or calls you, at which point you press a button to indicate you've received the call. Once the host recognizes the OTP or receives your call confirmation button press, you're logged in.
It seems to me that there are several opportunities for trouble here.
First, it's complicated. Not very complicated, but complicated enough. It's another step or two that the average user may simply opt out of. Will users really adopt it if it's an optional feature?
How about logistical difficulties: Do I have to pay for the text message or call minutes every time I log in? What happens if I'm in an area without cell coverage, like a basement office or a remote vacation spot? What if my phone runs out of battery?
In terms of the security itself, what's to prevent someone from stealing my (presumably single-factor) website login and modifying my profile to put in their phone number?
In the end, I think it's probably better to stick with industry-standed methods for multi-factor authentication -- primarily separate hardware authentication tokens, issued in unique fashion to each user. This is just too important to entrust to a clever but potentially flawed methodology.
Friday, October 17, 2008
Thursday, October 16, 2008
Implanted RFID Chip
I came across this item recently, regarding implanted RFID chips acting as a 2nd factor of authentication.
http://connectid.blogspot.com/2008/10/is-this-2-factor-authentication.html
I don't think there's any doubt that this is a form of multifactor authentication, as disturbing as it may be... The interesting, though academic, question is this: is the RFID chip then something that you have or something that you are?
http://connectid.blogspot.com/2008/10/is-this-2-factor-authentication.html
I don't think there's any doubt that this is a form of multifactor authentication, as disturbing as it may be... The interesting, though academic, question is this: is the RFID chip then something that you have or something that you are?
Subscribe to:
Posts (Atom)