I've been noticing a trend in the market towards acceptance of phones, particularly cell phones, as a mechanism for enforcing multi-factor authentication. While I applaud the attempt to make multi-factor authentication more ubiquitous by tying it to an already-prevalent device, I am worried.
Basically, the way it works is that you input your phone number into your profile at the online service you're logging into - be it a remote desktop product, your bank, or some other system. Then, when you hit the login page, you enter your username and password, and the system sends a message to your cell with a One Time Password (OTP), or calls you, at which point you press a button to indicate you've received the call. Once the host recognizes the OTP or receives your call confirmation button press, you're logged in.
It seems to me that there are several opportunities for trouble here.
First, it's complicated. Not very complicated, but complicated enough. It's another step or two that the average user may simply opt out of. Will users really adopt it if it's an optional feature?
How about logistical difficulties: Do I have to pay for the text message or call minutes every time I log in? What happens if I'm in an area without cell coverage, like a basement office or a remote vacation spot? What if my phone runs out of battery?
In terms of the security itself, what's to prevent someone from stealing my (presumably single-factor) website login and modifying my profile to put in their phone number?
In the end, I think it's probably better to stick with industry-standed methods for multi-factor authentication -- primarily separate hardware authentication tokens, issued in unique fashion to each user. This is just too important to entrust to a clever but potentially flawed methodology.
Subscribe to:
Post Comments (Atom)
3 comments:
Please let me know if you're looking for a author for your blog. You have some really good articles and I feel I would be a good asset. If you ever want to take some of the load off, I'd really like to write some
material for your blog in exchange for a link back to mine.
Please blast me an email if interested. Regards!
my blog bushnell golf gps rangefinder ()
Simply desire to say your article is as astounding.
The clearness to your post is just great and
i can think you're a professional on this subject. Well together with your permission let me to grab your feed to keep up to date with approaching post. Thank you a million and please keep up the rewarding work.
Also visit my page ... best mobile gps (Timsevenhuysen.com)
Today, I went to the beach with my kids. I found a sea shell
and gave it to my 4 year old daughter and said "You can hear the ocean if you put this to your ear." She placed the shell to
her ear and screamed. There was a hermit crab inside and it pinched her ear.
She never wants to go back! LoL I know this is completely off topic but I had to tell someone!
Also visit my website :: golf distance finder
Post a Comment