Six Clicks: Two factors are better than one

Six Clicks: Two factors are better than one

Summary: Time and again we write about security breaches that would have been prevented by two-factor authentication. What are the ways people do this in the real world?

SHARE:
TOPICS: Security
7

 |  Image 1 of 7

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • Two factor authentication is not magic nor fantasy

    There is a lot of two-factor authentication in the real world, even if most of the authentication in our computer lives relies only on a username and password.

    When you see news of a security breach or a list of passwords exposed, odds are that somewhere in the story of how it happened the attack would have been blocked — or at least made much more difficult — if two factor authentication had been employed.

    At the gates of Disney World, pictured here, you will need to present both your NFC card "ticket" and a fingerprint associated with it. The fingerprint prevents you from passing your ticket on to other people.

    In the pages that follow, we will examine six two-factor authentication methods that are available in the real world, although some are used more than others.

    (Image ZDNet/CBS Interactive Inc.)

  • EMV/Chip and PIN

    EMV (EuroPay/MasterCard/Visa) is the name of a standard for smart payment cards long in effect outside the US, and known in the UK and Ireland as Chip and PIN. Because of mandates by MasterCard and VISA in the US, adoption of EMV should move rapidly in the next few years.

    Even an old-style magswipe ATM card is technically two-factor since you have to have both the card and PIN, but for many reasons this has proven a low barrier to criminals who capture PINs with a camera as they skim the magnetic strip on its way into the device.

    EMV cards have a crypto chip in them so there's no simple way to skim them in order to sell copies. EMV doesn't have much application in mainstream computing authentication, but it will have a big impact on the US and perhaps will generate an appreciation for the benefits of two-factor authentication.

    (Image courtesy visa.com)

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Location-based authentication

    One of the techniques discussed in the story is "geofencing," or the use of device location to enable or block authentication. University of Texas/Austin just deployed Toopher using this technique for 24,000 faculty and staff. http://www.prweb.com/releases/2014/08/prweb12096429.htm
    larry@...
    • Interesting, but . . .

      Interesting, but I wouldn't count on location being the primary means of authentication. It's not accurate enough right now to identify an individual (you'd need a location accurate to less than a couple feet, I'd think), and does require the individual to have possession of the device (which can't always be guaranteed - the device could be stolen, or the user could have forgotten to bring the device).

      Perhaps as a third factor, it would work, though.
      CobraA1
  • There is an interesting story behind the US and chip/pin

    There is an interesting story behind the US and why we are being slow in adopting chip and pin:

    http://arstechnica.com/business/2014/08/chip-based-credit-cards-are-a-decade-old-why-doesnt-the-us-rely-on-them-yet/

    Basically, it boils down to this:

    The way cards work, at a technical level, was different in the USA and Europe, especially before the year 2000. Apparently, Europe had some sort of batching system that checked cards at the end of the day, whereas in the USA, a credit card reader instantly verifies the card. This was apparently due to telecoms being greedy in Europe.

    So we actually had a more modern and real-time back end long before Europe did, which means we had a lower fraud rate to begin with. Which means there has always been less demand for anti-fraud technologies, because our fraud rate was actually low to begin with.

    Liability in the USA is also different: Card holders aren't liable for fraud (the card issuer is, by law). So even when fraud occurs, it's often only a minor inconvenience to the card holder.

    Also, there's a few issues of bringing out new technology such as chip and PIN:

    * Scale and adoption. Many businesses are reluctant to upgrade their equipment until their equipment actually starts to physically break down. That could be a long time. And there's no doubt that it would be a pretty large scale operation for big businesses.

    * Adoption of new technology. No doubt it's going to be imperfect on the first try. I'd actually expect an increase in fraud during the first year or two while the kinks are being worked out.

    * Apparently there would be a slight re-jiggering of the liability during the transition period. That may hurt adoption a bit.


    So that's why we've been rather slow to adopt. We still need to eventually make the switch, yes, but apparently fraud wasn't quite as bad here to begin with.
    CobraA1
    • it's coming

      Because MasterCard and VISA are insisting on it. I can't find it right now but I wrote about a schedule for it many months ago.
      larry@...
  • YubiKey

    You forgot hardware authenticators, either the number generators or the new breed like Yubikey.

    I use Yubikey in combination with my online password safe. It provides a unique OTP when I sign on using a PC based browser. With my smartphone, I hold the Yubikey against the NFC reader and it opens the password safe and asks for my password. Without both password and Yubikey nobody can access the password safe.

    The Yubikey neo also has MiFare built in, so I can use it to access our office entry system.
    wright_is
  • fingerprints that I have

    Sorry, but isn't fingerprint belonging to "sth you are" rather than "sth you have" category?
    city-zen
    • Nope ... you "have" fingerprints

      You "have" fingerprints until someone decide to take them from you. Depending upon the value of the target, it is a reasonable assumption that fingers could become targets for theft.
      David A. Pimentel