When passwords are not sufficent to contain the risk - physical 'tokens'

Multi-factor authentication - what you (1) know, (2) have, (3) are or (4) can do

Validating the identity of a person is the goal that passwords (1 in the list above) seeks to achieve but as well as being 'hackable' and at the mercy of users who do not and should not need to understand them - they can be stolen by a wide variety of means. As a result, some businesses, typically banks are adding a second factor to how they ensure that it really is you.

I am going to ignore 'levels 3 and 4' in the list above - the 'who you are' and the 'what you can do' aspects of authenticating a person as they are relatively new and unproven - Biometrics and Turing-style (normally visualisation) techniques. What you physically have can be a powerful addition to a passwords but would obviously never replace them as theft would then be so easy.

Web site owners can issue either:

• Keyfob-sized token-generators
• Palm-sized smart card readers

to individuals which are uniquely synchronised to their web site authentication tools.

In the case of key fobs, pressing a button and keying the 1-off, 6 to 8 digit code displayed upon the device gives a very, very high probability that the user either:

1. physically has the device with them - but note that doesn't guarantee to them that it really is you - hence the need for good passwords OR
2. is an attacker who has compromised the key-fob by finding out it's serial number and initiation string - not trivial but perfectly possible with older devices (eg. Verisign SecurID) with a targetted attack unless precautions have been taken

Smart card reader/writers are now economically viable to be given to (some?) online clients - technically they can authenticate you as well as a (bank ATM) hole in the wall! What they offer (to the bank!) a much, much greater capability to manage the interactions that you make because they can also interact through you at the keyboard such that authorising significant actions. For instance, adding a new payee can be validated in addition to the login. I am guessing that the bank would then be able to regard that as non-repudiatable - i.e. that you cannot deny that it was not just you at the keyboard but that you instigated the action!

Essentially banks have had this approach for decades - they are the cards that you use at the 'hole in the wall'. The advantage that the banks have is that the machines in Banks can 'swallow' a card if multiple passwords (PIN number) fail. The web is of course much, much more anonymous! and 'remote'! but web sites can still block multiple attempts that fail authentication. However this 'block' cannot be permanent as the case of 'swallowing' a card because the 'real user' could then suffer a Denial of Service (DoS) attack by unidentifiable criminals which would be a potential opportunity for blackmail (of the bank).

When such a device is available the need to have very high strength passwords is reduced for that site but certainly not to a level where a trivial (or 'shared'!) password would be adequate. The lack of a punctuation character or even Upper Case letters in a password would probably be acceptable - scores of 50,000 or more in the How strong is YOUR password perhaps.

This page © Business before Technology 2006 - see the respective sites of the owners for their copyright as well as terms and conditions

Links and other information last validated on 7th August 2007. Please use the Contact us page to suggest any additions or revisions. Windows XP Remote Assistance now provides in-work training and assistance, as and when needed to more than a dozen customers

What's Hot

Site Offers: