Sunday, April 10, 2005, 2:36 PM

The Enemy of the Better

Last month, Bruce Schneier highlighted what he expressed as the futility of deploying second factor authentication (2FA). I believe he missed the main point, that so long as the user is approving transactions via a compromisable platform, transactions cannot be guaranteed secured.

The problem has got almost nothing to do with 2FA. Pardon my analogizing, but Schneier was yelling "the barn's on fire!" when the smoke is coming from the house.

One (philosophical) issue I have with Schneier's article is that he doesn't suggest a way out of the problem. I believe that if you cry wolf, you should try to have a plan for mitigating the attack of the wolves. But you do have to identify the root problem before an appropriate solution can be proposed.

Another (more practical) issue I have with Schneier's approach is that he is making the best the enemy of the better. Given today's technologies, is having a 2FA better than not having it? Yes! Especially if the second factor involves physicalization. The bad guys might catch up by exploiting the vulnerabilities of client platforms, but we can address that by detecting and closing up these vulnerabilities. Without 2FA, how easy is it for someone to "bug" your computer to extract your password? Once they have your password, they have your identity-they don't have to wait for you to access the server again (as when they do if you have 2FA) to commit fraud. With plain passwords, no physical theft is necessary to commit identity theft.

If I were to suggest a plan to increase the strength of digital identities (identities that are harder to steal), I'd include the following (somewhat obvious) steps:
1. Move to physical factor authentication (preferably with phyisicalized secrets, as opposed to shared secrets)
2. Use inspection technology to watch for breaches (anti-virus/spyware/phishing software)
3. Make sure your client platform has the latest security patches
In the mean time, the industry should:

4. Figure out how to breach-proof our client platforms-specifically every client platform vendor has to do this (Microsoft, Apple, Nokia, Samsung, Blackberry, PalmSource, etc.)
5. Develop a Secure Transaction Token (STT). This is going to be difficult because it involves defining standards for the industry... and creating a new standard is next to impossible (see The Symmetry Principle).

Automating the inspection of compromisable clients for breaches and deploying physical factor authentication for network applications are together better then just using plain passwords. Getting to systems that are technically near breach-proof is possible with STTs, but the widespread adoption of these systems is unlikely.

I would not make the best the enemy of the better by ignoring what is better (and possible) than the status quo of plain passwords just because we can't get to the theoretical best right now.

Update (April 14, 2005):
Bruce Schneier follows up with More on Two-Factor Authentication (

0 Comment(s):

Post a Comment

<< Home