Is multi-factor authentication the solution for identity theft?

Is multi-factor authentication the solution for identity theft?

Summary: How many sites and services can you login to using your Facebook or Twitter account? What if, instead, we used a secure method of login? Would our identities be more secure? Yes, they would.


The need for identity theft prevention is obvious. Everyday, I receive spam messages that phish for passwords, attempt to have me login to a bank site, or try to get me to login to a fake PayPal site to reveal my password. It's really annoying. There's nothing more that I would like to do than to chase these people down and put them in jail. What would happen between capture and delivery to jail is almost unspeakable. I wouldn't be nice. The pain, suffering, loss, and damage that these criminals cause is so great that we have to do something to stop it. Multi-factor authentication is the answer.

I deleted my Facebook account due to privacy concerns. I don't like the fact that I have to worry about someone stealing my identity from some cheesy website. I don't like feeling paranoid when I go to a bookstore and want to connect to their WiFi. And I really don't like knowing that somewhere, someone spends their days trying to empty my bank account. These things really annoy me. They annoy me to the point of asking some authority to take action against them directly and indirectly.

Indirectly, we can use multi-factor authentication for password-protected websites and services. It's necessary. It's no longer an option not to have this capability. We don't balk at using SSH to connect to a remote system or at using HTTPS to connect to a website. Why then should we hesitate in protecting everything with multi-factor authentication?

We shouldn't.

I wouldn't mind carrying around a RSA SecurID key fob on my key chain to ensure my privacy when I login to a website, make a purchase at a store, or connect to free WiFi.

You shouldn't mind either.

I don't want one for each site either. I want a single device to carry around that is a universal ID for me. And technology needs to catch up with criminal activity so that if your key fob is lost or stolen, the device gets disabled remotely—kind of like a remote wipe for a lost or stolen phone, tablet, or laptop because secure tokens aren't perfect either.

The device should also have a locator service too, like your cell phone and tablet does. 

Identity theft criminals need to find legitimate jobs.

I don't take any kind of criminal activity lightly but cyber criminals are an especially dirty lot. Wouldn't their time be better spent in the light of day, on a real job, being productive, worthy, and happy? Some will counter with, "It's an economic problem." I'm not buying that. In my humble opinion, if these people weren't involved in a cyber scam, they'd be involved in some other criminal activity and it has nothing to do with economy.

It has to do with trying to get someone else to fund your extreme lifestyle without working a legitimate job. It's selfish and criminal behavior.

Multi-factor authentication will stop a lot of identity theft that's associated with stealing passwords.

There are other types of multi-factor authentication that don't involve one-time passwords using a random number key fob device.

There are biometric schemes, random multiple question authentication, and services such as OpenID that allow you to more securely connect to sites and services with less chance of a stolen ID.

I also think that sites and services should deny access after three bad passwords or authentication attempts. This will ensure that criminals can't use dictionary and brute force attacks against a login screen to get your identity. Unless your password is extremely simple, this would discourage such attacks. Password complexity can also be enforced.

The problem with passwords is that the simple ones can be guessed, attacked with dictionaries, or brute force guessed. Complexity helps some but it also causes people to write down passwords or to use something simple. Even worse, the same password can be used on every site. These weaknesses make multi-factor authentication a 'must.'

In fact, I'm drawing  a line in the sand today. I'll give the sites I use one year from July 1, 2013 to implement multi-factor authentication or I'll stop using the site or service. Sites such as Twitter, Facebook, other social networking sites, banks, PayPal, Ebay, Gmail, etc. all need to setup some sort of secure login in the form of multi-factor authentication.

It's really no longer an option not to have it.

How many identities, credit card numbers, and passwords have to be compromised before we take action?

One year.

Setup some way to identify me as me or I'll stop using the site. If we all take this stand, we'll be taking a stand for a safer Internet and a stronger stance against cybercriminals.

Multi-factor authentication will decrease the number of identity thefts. There's no perfect way to thwart criminals because they spend their time trying not to make an honest living. You have to spend yours making sure that they receive diminishing returns for their efforts.

What do you think the solution is for identity theft? Do you have a better idea than multi-factor authentication? Talk back and let me know.

Topics: Security, Mobility, Privacy, Tech Industry


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Good luck with that!

    A lot more people will need to be hacked and have lost money & identities before things will improve.

    You are talking about large entities at war with each other reaching an agreement for a protocol. These same entities pander by necessity to users, and users want things simple because they have short attention spans or are time poor.
  • I'd much prefer it be an app, though . . .

    "I wouldn't mind carrying around a RSA SecurID key fob on my key chain to ensure my privacy when I login to a website, make a purchase at a store, or connect to free WiFi."

    I'd much prefer it be an app on my cell phone, though: One thing I *don't* want is 100 key fobs on my key chain. This also addresses the issue of the key fob being stolen (most cell phones have remote wipe and automatic wipe after too many attempts).

    Google already has such an app, as does Blizzard Entertainment. LastPass can use Google's app.

    "I also think that sites and services should deny access after three bad passwords or authentication attempts."

    Agreed. They *should* already have in place anti-brute-force measures. If not, they need to implement them.

    "I'll give the sites I use one year from July 1, 2013 to implement multi-factor authentication or I'll stop using the site or service."

    It will be interesting to see if enough sites successfully pull that off that so you can realistically carry out your ultimatum. You have to do your banking *somewhere*.

    Although to be honest, I don't think they care about you personally. If they do it, it will because their customers demanded it, or because it was already planned - not because Ken Hess demanded it.

    And oh, by the way - gmail already has multi-factor authentication. I'm using it.

    I do think that multi-factor is the future. It's already starting to catch on, and I can only see it growing from here.
    • Bad idea...

      Seeing as most people now use their smartphones for accessing these services, using the smartphone to receive SMS or using the Authenticator apps to generate tokens is a silly idea.

      If you log onto Google services on the smartphone, for example, Google will send the SMS to that device! That means that if somebody steals your smartphone, even if you have 2 factor turned on, the second factor is on that device, so they can simply log on to all the services.

      On the other hand, the other week my smartphone died and Google decided that was the day to re-authenticate most of my devices. I couldn't log onto Google from my tablet, another smartphone (different phone number and different sized SIM card) or my iMac. Luckily, I eventually found that my laptop in the cellar was still authenticated and I could log in and disable 2 factor authentication.

      One good thing, but also a bad thing, I didn't need to re-authenticate myself with 2 factor in order to disable 2 factor authentication. That is good if the method of 2 factor is dead, but bad in that anybody can turn off 2 factor authentication if they can get hold of my password and a currently authenticated device.

      Once the smartphone was replaced, I turned 2 factor back on, but I used the Authenticator app this time and I set it up on 2 smartphones, so that if my main one dies, I can still use the other one!
      • Not so fast...

        Smart phone users reach for their phones 150 times a day, on average (Mary Meeker's 2013 Internet trends report). How realistic is a scenario where someone steals your phone and has the time to break into any of your accounts before you notice your phone is gone?
        Mark van Dalsen
        • Not all

          mine sits on my desk all day at work, until I pick it up to go home, then it sits on the worktop until I go to work again... It only really gets used in the car and when I walk the dog for podcasts and Audible.
          • It only really gets used in the car ...

            I hope you don't use your phone while driving - it's dangerous and illegal ins ome countries such as the UK.
      • @wright_is

        Agreed. SMS is a lousy auth method. Not sure why people think that it's a good thing.
        • Let's count factors ...

          In the end it is simply a matter of counting factors that you use to get access to whatever service. Let's consider someone that want to access my facebook account.

          Access to my facebook from my SmartPhone or my own PC:
          1) Something I have?
          YES, my smartphone or PC
          2) Somthing I know?
          Yes, I need to unlock my smartphone/PC with my PINcode/password
          hence, no need for an extra SMS, it's already 2FA

          Access to facebook from a "public" PC
          1) Somethjing I know?
          Yes, password to my facebook account
          2) Something I have?
          Currently not needed. Getting an SMS text-message on my smartphone could be that 2nd factor
  • Umm, it's a bad idea, but you still use it?

    (reply split due to spam filter)

    "Bad idea... "

    "Once the smartphone was replaced, I turned 2 factor back on, but I used the Authenticator app this time . . ."

    Umm, it's a bad idea, but you still use it? Care to explain?
    • reply part 2

      "That means that if somebody steals your smartphone, even if you have 2 factor turned on, the second factor is on that device, so they can simply log on to all the services."

      That would require bypassing the security of the device. I suppose it's a risk, but one that can be mitigated (use a strong password on the phone), and may be considered an acceptable risk by most people.

      "On the other hand, the other week my smartphone died and Google decided that was the day to re-authenticate most of my devices."

      I lost my keys not too long ago - if I had an authenticator fob on them, I would've been stuck in the same situation. No matter where you put it, it's a risk.

      There's actually a feature that allows you to mitigate that risk - Google allows you to print out a series of backup codes that you can place in your wallet. And in case you lose your wallet, you can invalidate those codes as well. And you *can* have a phone set up as a backup as well.

      Or, in your case, you simply set up two phones :).
    • reply part 3

      And Google does have options for account recovery you can set up ahead of time as well, in case the worst happens.

      So it's not as if there are no options, especially in the case of Google. The way Google has done it is actually very nice.

      "but bad in that anybody can turn off 2 factor authentication if they can get hold of my password and a currently authenticated device."

      Well, an online hacker generally doesn't have your physical device, and a thief generally doesn't have your password. Having *both* of those is something that is hopefully very, very rare.

      Which is really what two factor authentication is all about: You need a physical device (the first factor), and you need something you memorized (the second factor). Having both is rare, so it's considered stronger than a single factor.

      It's not perfect (nothing is), but it's a big step up from having to use just a password.
    • It is a risk..

      but better than nothing. I was just pointing out why 2 factor using a smartphone is not the best of ideas. You need a "something" that isn't itself used for connecting to the service in question.

      I.e. it is dumb to send a code to the device that is trying to authenticate itself.
  • Quick answer…no.

    Since most identity theft in the USA is still committed by means other than electronic, the short answer is no. By identity theft, I mean reported ID theft crimes. The crooks still acquire most of the information that they actually use by internet-based methods.
  • phishing.

    Why can't someone come up with a fishing site for phising sites. Someway to target them and catch them in the act.
  • Sites having two-factor authentication...

    Um, Mr, Hess, did I miss something here? Perfect or not, both Facebook and Gmail have had two-factor authentication for over a year. I've been using it.
  • Another gadget to lose

    There is always a trade-off between convenience and security. You can put iron bars in front of all windows and install a combination lock in addition to the normal key lock on the doors. The first time you come home at night and have to fiddle with two locks, it is highly likely that one of them will be disabled. People need to be educated about NOT clicking on every link in an email or a website. My bank uses a system I think is pretty secure, without me having to carry around or worry about losing another gadget. When I first signed up, I had to choose a specific small image from a number of choices presented and also enter several phrases. Now when I sign into my bank account, I first have to put in my username, whereupon the bank erases the screen and displays that chosen image and one of the phrases, along with a warning not to enter my password unless both of those are correct. That should thwart phishers, since they wouldn't know what image and phrase to send. The bank also checks my IP and the device. If either of those has changed, a number of random phrases are displayed, but among them one of my other chosen phrases. I then have to click the correct one to start the normal logon process. There are ways to have relatively good security without forcing people to carry and possibly lose some sort of digital key.
  • It will be better.

    I just hope that these sites have options other than a smartphone as I don't have one. My cell phone is only a simple cell for phone calls and simple texts. Nothing more. Most of the time my cell is at home.

    What annoys me is when a site forces you to use a convoluted password when the site isn't a security concern like Gearbox's Customer Support Site. I also don't like sites that won't let you pick a secure user name. My bank's website uses my Social Security Number as my user name and you can't change that. When Medicare gives people their Medicare Card, they use the person's Social as the member ID so if someone steals your wallet, they get your SSN.

    I was watching an episode of Mythbusters and it shows how insecure some biometric locks are. They had a finger print door lock that was supposed to be very secure yet they were able to use a photocopy of a finger print to open the lock yet the cheap finger print lock for the computer was more secure and wouldn't accept the photocopy. Even those retina eye scanners aren't very good as some prescription meds can change enough of your eye so the eye scanner won't work.

    Let's face it, if someone wants your ID, they will get it no matter what you do. Sure, you can try to make it as hard as possible, but they will get it. In some ways, security is only an illusion like those stupid steering wheel locks that do nothing.

    I think that certain public things, like ATMs should use multipoint authentication if you want to withdraw money. One of the banks I used allowed you to use a longer pin number but it wouldn't work in ATMs that had a 4 character limit.

    I like how Steam uses a two point authentication if you try to log into a Steam account on an unauthenticated device by sending you a code via email.

    It will be a never ending battle.
  • Incomplete

    "I also think that sites and services should deny access after three bad passwords or authentication attempts."

    Undoubtedly, this should be the case...Author fails to mention - with email notification to the accountholder, that these login attempts have taken place.
  • There is only one way to eliminate criminal behavior

    If you really want to eliminate criminal behavior, you eliminate the criminal.

    Yes, you track him down and kill him. There are billions of people on the planet and these vermin won't be missed.
  • No method is perfect.

    A password is basically something you KNOW, a key fob or similar device is something you HAVE (and for password recovery, so is a smartphone), and a biometric is something you ARE. As has been pointed out, ANY of these can either be compromised allowing illegal access, or malfunction to prevent LEGAL access.

    If I am logging into the recovery site on my computer to report my smartphone was lost, and they send me a text message to reset my password, guess who gets the message? Either a thief, a finder, or nobody. So I can't report it lost because I do not have it with me!

    Fingerprints can be faked by photocopying (actually, on Mythbusters the photocopy had to be enlarged, manually enhanced, then reduced again), ID tags of any kind can be stolen, and in the case of the MOST brutal criminals, fingers can be amputated and eyes can be gouged out (see "Angels and Demons" by Dan Brown). Fingers can be burned, making the ridges disappear until the burn has healed. Eyes can be bloodshot or temporarily altered by injuries.

    Even voices can become hoarse with colds or laryngitis; one might think that a user could record a few hundred words when registering, and a system might display one of these words at random and ask the user to repeat that word. Would the correct voice be recognized under stress or with a sore throat? Could a thief surreptitiously record a voice, analyze a profile, then program a speech synthesizer to pronounce any given word with that same voice, closely enough to beat a voiceprint app? I do not know, and I have not read any stories about such technology.

    The best thing I can think of if you MUST use a fingerprint reader is NOT to register a single finger in the standard tip-on-top position; register the junction of two fingers on opposite hands, each read as a partial print, and do not reveal the fingers or the position (for example only: left index finger to the left of a 45 degree line, pointing down, right ring finger to the right of that line, pointing up, both squished together in a non-obvious way). A larger-screen fingerprint reader would allow even more variety.

    Perhaps an infrared-sensitive scanner and a bar code sutured under a flap of skin so that the bar code is not obviously visible as a tattoo? Or a regular bar-code in invisible but magnetic ink? Or analyzing the typing rhythm of one's name (that one would be unusable in case one or both hands are either lost permanently, bandaged, splinted, or just being used for something else such as holding a cell phone -- OK, where is your mind now?).

    Another system I have seen is a secret (and uniquely registered) translation card, combined with a web site that displays a randomly arranged list of number-letter combinations, that must be decoded with the card registered to that user. But again, the legitimate user cannot log in without that card. I hope the technology for improved ID standardizes on something usable soon.