Steve Riley always makes me think, sometimes so much that it hurts. Thanks, Steve. His latest blog posting is about two-factor authentication, and he’s asking for input on what you (we) want from it.
First, a couple of examples on authentication.
- “I am Bill Gates.” – this is not authentication. It’s identification. The fact that it’s an untrue claim doesn’t prevent it from being identification.
- “I am Bill Gates, this is Steve Ballmer, he’ll vouch for me.” – this is not authentication either.
- “I am Bill Gates, you already know Steve Ballmer, well he’ll vouch for me.” – this is weak authentication.
- “I am Bill Gates, you already know Steve Ballmer well, he’ll vouch for me.” – this is strong authentication.
- “I am Bill Gates – last time we spoke, I told you my favourite colour was red.” – this is authentication with a pre-shared secret.
- “I am Bill Gates – see, I still have the signed business card you gave me.” – this is authentication with a token.
- “I am Bill Gates – watch as I ignore the $1000 bill you left on the couch.” – this is authentication by ability (only a small number of people can afford to ignore free money).
There’s an old saying that goes something like “You can authenticate with something you are (biometrics), something you know (passwords), something you have (SecurID etc), or something you can do (skills measurement).” Or, to put it another way, “something you used to be, something you have forgotten, something you lost, or something you can only do when relaxed in a well-lit room.”
The biggest deal we find with two-factor authentication is that the authentication device will be lost, destroyed, mangled, forgotten, given away as a prize at a sales talk, swallowed, or will simply refuse to operate in the Alaska (or Adis Ababa) office.
So, the second-factor (and if you’re replacing passwords with the factor, it’s not two-factor, it’s still one-factor!) has to be rapidly recoverable, re-deliverable, overridable, revokable (and ideally, unrevokable when they find it in their other trouser pocket), etc. If I lose it, can you get me another one in the five minutes before I give my presentation? [And if you can override it, what's to prevent a hacker from doing the same?] n
Then you have to consider the message you send your staff by giving them security devices. “With these, your account is secure.” This means that they will use those skanky, dirty, disgusting computers in “Fly-By-Nite Internet Cafes Incorporated (Under New Management)”, or the clean ones at the airport that scream “definitely legitimate”, to download salary data on your most-valued executives, to view listings of covert agents in life-threatening deployments, to investigate your proctology results, etc.
What about those of us that wear multiple hats? The consultants, the guys with an extra job? How many tokens are we going to carry around with us? One password per job is already fairly complexificated, but now you want us to remember a password _and_ carry around a half-dozen “key fobs”? Perhaps a SecurID, Smart Card, or similar token should be able to authenticate against multiple servers – servers that don’t trust one another, and will not share keys.
Have I forgotten anything else you expect from a second-factor authentication method?