Is multi-factor authentication the solution for identity theft?

How many sites and services can you login to using your Facebook or Twitter account? What if, instead, we used a secure method of login? Would our identities be more secure? Yes, they would.
Written by Ken Hess, Contributor on

The need for identity theft prevention is obvious. Everyday, I receive spam messages that phish for passwords, attempt to have me login to a bank site, or try to get me to login to a fake PayPal site to reveal my password. It's really annoying. There's nothing more that I would like to do than to chase these people down and put them in jail. What would happen between capture and delivery to jail is almost unspeakable. I wouldn't be nice. The pain, suffering, loss, and damage that these criminals cause is so great that we have to do something to stop it. Multi-factor authentication is the answer.

I deleted my Facebook account due to privacy concerns. I don't like the fact that I have to worry about someone stealing my identity from some cheesy website. I don't like feeling paranoid when I go to a bookstore and want to connect to their WiFi. And I really don't like knowing that somewhere, someone spends their days trying to empty my bank account. These things really annoy me. They annoy me to the point of asking some authority to take action against them directly and indirectly.

Indirectly, we can use multi-factor authentication for password-protected websites and services. It's necessary. It's no longer an option not to have this capability. We don't balk at using SSH to connect to a remote system or at using HTTPS to connect to a website. Why then should we hesitate in protecting everything with multi-factor authentication?

We shouldn't.

I wouldn't mind carrying around a RSA SecurID key fob on my key chain to ensure my privacy when I login to a website, make a purchase at a store, or connect to free WiFi.

You shouldn't mind either.

I don't want one for each site either. I want a single device to carry around that is a universal ID for me. And technology needs to catch up with criminal activity so that if your key fob is lost or stolen, the device gets disabled remotely—kind of like a remote wipe for a lost or stolen phone, tablet, or laptop because secure tokens aren't perfect either.

The device should also have a locator service too, like your cell phone and tablet does. 

Identity theft criminals need to find legitimate jobs.

I don't take any kind of criminal activity lightly but cyber criminals are an especially dirty lot. Wouldn't their time be better spent in the light of day, on a real job, being productive, worthy, and happy? Some will counter with, "It's an economic problem." I'm not buying that. In my humble opinion, if these people weren't involved in a cyber scam, they'd be involved in some other criminal activity and it has nothing to do with economy.

It has to do with trying to get someone else to fund your extreme lifestyle without working a legitimate job. It's selfish and criminal behavior.

Multi-factor authentication will stop a lot of identity theft that's associated with stealing passwords.

There are other types of multi-factor authentication that don't involve one-time passwords using a random number key fob device.

There are biometric schemes, random multiple question authentication, and services such as OpenID that allow you to more securely connect to sites and services with less chance of a stolen ID.

I also think that sites and services should deny access after three bad passwords or authentication attempts. This will ensure that criminals can't use dictionary and brute force attacks against a login screen to get your identity. Unless your password is extremely simple, this would discourage such attacks. Password complexity can also be enforced.

The problem with passwords is that the simple ones can be guessed, attacked with dictionaries, or brute force guessed. Complexity helps some but it also causes people to write down passwords or to use something simple. Even worse, the same password can be used on every site. These weaknesses make multi-factor authentication a 'must.'

In fact, I'm drawing  a line in the sand today. I'll give the sites I use one year from July 1, 2013 to implement multi-factor authentication or I'll stop using the site or service. Sites such as Twitter, Facebook, other social networking sites, banks, PayPal, Ebay, Gmail, etc. all need to setup some sort of secure login in the form of multi-factor authentication.

It's really no longer an option not to have it.

How many identities, credit card numbers, and passwords have to be compromised before we take action?

One year.

Setup some way to identify me as me or I'll stop using the site. If we all take this stand, we'll be taking a stand for a safer Internet and a stronger stance against cybercriminals.

Multi-factor authentication will decrease the number of identity thefts. There's no perfect way to thwart criminals because they spend their time trying not to make an honest living. You have to spend yours making sure that they receive diminishing returns for their efforts.

What do you think the solution is for identity theft? Do you have a better idea than multi-factor authentication? Talk back and let me know.

Editorial standards