Every now and then, a press release or pitch crosses my desk about the so-called idea of "strong factor" authentication. It makes me want to roll my eyes because the US has got to be the only place in the world that actually knows better than to fall for such a watered-down imposter of true multi-factor authentication, but gets suckered into using it anyway. To refresh everybody's memory (or to introduce the idea to people just seeing this terminology for the first time), multi-factor security is the sort of security where you don't get what you're after until you've demonstrated at least two if not three of the following:
- What you know -- like a user ID and password
- What you have -- a security token of some sort like an ATM card
- Who you are -- usually established through biometric measures
In contrast, strong-factor authentication was a compromise that the banking and security sectors reached with the political community. The political community wanted stricter controls in place for online banking. The Rx was clearly multifactor security of the type that Europeans are used to. The banking community couldn't fathom the cost or inconvenience of giving Americans what the Europeans and could you imagine?....the security community came up with solutions that it helped market to the politicians as being just as good. But all these so-called "strong-factor" solutions do is double up on the first factor (what you know) requiring you to know more than just user ID and password.
Many Europeans who bank online are used to the idea of two-factor security. In addition to user ID and password, before authenticating online bankers, many European banks require the entry of a secret code that only you and the bank know at any given moment in time. The secret code changes often, at regular intervals. RSA (a subsidiary of EMC) is one of the vendors that makes this form of multi-factor authentication possible with its SecurID solution.
Whereas some form of multi-factor security stands between many of my European friends and online access to their bank accounts, I don't have a single friend in the US that faces the same barrier to entry. That will change the moment we have some major online banking authentication catastrophe in the US. But in the mean time, my sense has been that American's can't be bothered with such inconveniences. Early last year, I wrote about how this culture of convenience will eventually come home to roost in a post headlined Why Americans are technology, political, and educational laggards and how it will doom them.
Today, I found some more insight into how Europeans ended up using two-factor security and we in the US ended up with the toothless de factor we have. From eWeek comes a Q&A with the Burton Group's Mark Diodati on the definition of multifactor authentication. In it, Diodati says the following:
- In Europe the institutional and cultural context is different. Banks were able to issue smart cards [credit cards with embedded computer chips] or other devices to consumers and require their use for the authentication of transactions. One reason there may have been more tolerance for this in Europe is that retail shops there didn't always have access to cheap data lines for online verification of credit card transactions the way they did in the U.S.
- Responding to the question of whether we'll ever adopt multifactor authentication here in the US: " Probably not....the name of the game for online banking and online retail sites in the U.S. will be to do authentication without issuing hardware or software to the consumer."
In the Q&A, Diodati finds merit in "solutions that mimic the benefits of multifactor without the constraints" and mentions password hardening as one of them. In describing password hardening, one technique he discusses is the approach taken by BioPassword -- an approach that compares the keystroke dwell (key depression time for each character in a user ID and/or password) at time of login in to the keystroke dwell pattern that's registered with the systems in question (much the same way real biometric systems must do a one-time registration of fingerprints or irises).
Personally, I'd prefer real two-factor authentication and I'd even be willing to pay extra for it. But we're a culture of convenience. That option from my bank probably won't happen any time soon.