When passwords are not sufficent to contain the risk - physical 'tokens'
Multi-factor authentication - what you (1) know, (2) have, (3) are or (4) can do
Validating the identity of a person is the goal that passwords
(1 in the list above) seeks to
achieve but as well as being 'hackable' and at the mercy of users who do
not and should not need to understand them - they can be stolen by a wide
variety of means. As a result, some businesses, typically banks are
adding a second factor to how they ensure that it really is you.
I am going to ignore 'levels 3 and 4' in the list above -
the 'who you are' and the 'what you can do' aspects
of authenticating a person as they are relatively new and unproven -
Biometrics and Turing-style (normally visualisation) techniques.
What you physically have can be a powerful addition to a passwords but
would obviously never replace them as theft would then be so easy.
Web site owners can issue either:
- Keyfob-sized token-generators
- Palm-sized smart card readers
which are uniquely synchronised to their web site authentication tools.
In the case of key fobs, pressing a button and keying the 1-off, 6 to 8
digit code displayed upon the device gives a very, very high probability
that the user either:
- physically has the device with them - but note that doesn't
guarantee to them that it really is you - hence the need for good passwords OR
- is an attacker who has compromised the key-fob by finding out
it's serial number and initiation string - not trivial but perfectly possible
with older devices (eg. Verisign SecurID)
with a targetted attack unless precautions have been taken
Smart card reader/writers are now economically viable to be given to
(some?) online clients - technically they can authenticate you as well
as a (bank ATM) hole in the wall!
What they offer (to the bank!) a much, much greater capability to manage the
interactions that you make because they can also interact through you at the
keyboard such that authorising significant actions. For instance, adding a new
payee can be validated in addition to the login. I am guessing that the bank
would then be able to regard that as non-repudiatable - i.e. that you cannot deny
that it was not just you at the keyboard but that you instigated the action!
Essentially banks have had this approach for decades - they are the cards that
you use at the 'hole in the wall'. The advantage that the banks have is
that the machines in Banks can 'swallow' a card if multiple passwords (PIN number)
fail. The web is of course much, much more anonymous! and 'remote'! but
web sites can still block multiple attempts that fail authentication.
However this 'block' cannot be permanent as the case of 'swallowing' a card
because the 'real user' could then suffer a Denial
of Service (DoS) attack by unidentifiable criminals which
would be a potential opportunity for blackmail (of the bank).
When such a device is available the need to have very high strength
passwords is reduced for that site but certainly not to a level where
a trivial (or 'shared'!) password would be adequate.
The lack of a punctuation character or even Upper Case letters
in a password would probably be
acceptable - scores of 50,000 or more in the How strong is YOUR password perhaps.
This page © Business before Technology 2006 - see the respective sites of the owners for their copyright as well as terms and conditions
Links and other information last validated on 7th August 2007.
Please use the Contact us page to suggest any additions or revisions.