Two-Factor Authentication – Practical Issues

Banks are starting to use two-factor authentication for internet banking, One increasingly-popular method, used for years by people like RSA (they call it SecureID) to protect corporate intranet logins, is to have a small hardware key fob with an LCD screen with digits that change every sixty seconds. For those who’ve never seen them, they are based on a seed value and an algorithm, like a random number generator, which takes the seed and produces a random sequence. When logging in, you need to enter both your password and the current sequence of digits as displayed on an LCD on the device; the server also knows the seed and computes the correct value in the sequence to check against the one you submitted.

The obvious problem this is going to lead to is that people with several of these logins are going to have to carry several key fobs. With each one needing to be big enough to fit an 8 or 10-digit LCD screen on, that’s going to get bulky very quickly.

So, why don’t the banks get together and figure out a simple open standard, whereby you could make a widget with a screen into which you could plug five or ten tiny, half-matchstick-sized “pins”, one for each account? These would be like tiny SIM cards, and would contain the sequence-generation seed which matched the one on the bank’s servers. The widget would let you select which pin’s sequence to display, when you were logging in to that particular service. So your five or ten login widgets would collapse into one.

16 thoughts on “Two-Factor Authentication – Practical Issues

  1. I don’t like the whole two-factor authentication idea. I picked a secure password. If other people’s passwords are too easy to guess, that’s their fault. Don’t make it more complicated for me.

  2. there is an advantage to multiple keys.

    Problem I’ve seen is that they fail for various reasons:
    1. Batteries
    2. Expire (yes, they have an end date)
    3. Damage (crushed, bent, left in hot car, got wet)
    4. Lost (left at home, office, on the train, etc).

    These things are used in the workplace quite a bit. And the above seriously must cost business big bucks. Lots of employees every day suffer from 1-4, and can’t get their email or use their computer for part or all of a day. It’s pretty pathetic when you get to work, and realize you can’t use your computer until you travel all the way back home, because you forgot your SecureID. Or realize that it didn’t tolerate the abuse a keychain suffers to well (they are somewhat rugged, but suffer from an iPod Nano like issue where they can stand a beating, then die for no good reason).

    IMHO the answer is somewhere along the lines of biometrics. IBM already has fingerprint scanners. IMHO a cheap/effective eye scanner may be the way to go. Mount it above the display (similar to the camera on the new iMacs), and let users authenticate that way. Thankfully, your eyes don’t fail nearly as often as these things do.

    And don’t forget, if all banks roll out these cards, they are going to get cheaper and cheaper to save some cash (remember a bank is a business, in the industry to make a profit). And those cost savings are going to cause cheaper hardware that’s more likely to fail.

    IMHO reliability is an issue. I don’t want to be unable to withdraw cash because my SecureID broke, and the bank isn’t open until Monday 9:00 AM. If it’s Friday evening… I need cash.

    There’s to much liability in unreliable technology.

  3. In Belgium, the banks are planning to use the electronic id-card of the governement, which is used to be placed in a reader that everyone is supposed to have (USB-based, drivers are open source). So you need to plug in your id-card whenever you want to prove tyour identity online, just like you have to do it in real life (id-cards are mandatory here).

    The advantage would be that every one will have this card, and that it will be used for almost everything, from government-websites, over banks, to MSN-chat boxes for kids.

    The disadvantage is that the id-card could be stolen, and it’s only a SIM-card, nothing fancy with LCD-displays and every-changing random numbers. There will be a PIN number that will be used to unlock the card, but that has to same problems as regular bank cards (people using easy PIN numbers, etc …).

  4. Why bother with a fob at all? Why not use your telephone number as something unique to you, have the system call you back on your mobile and enter a pin via the keyboard. Your mobile can easily be stolen but no harder to take than a fob and if it has to be confirmed with a pin then it’s more secure – something you have, something you know, since you’re on the phone anyhow then you could even mix in a little voice recognition and you’ve got the trinity.

  5. Roger, one of the main reasons for security breaches which brought this on was keylogging. Of course, the place to fix the problem for that is of course IE…

  6. Well, I think smartcards/tokens are the way to go. OTP is suitable for quick login from public places but not for everyday usage. Also, smartcards integrate nicely into existing PKI so no or little setup is needed…

  7. The reason we’d rather … er … not have the banks standardise on SecureId or any similar tokens is because that battle is already lost. Click on the link. The tokens only deal with today’s attacks, and were only ever a stopgap measure for undedicated attackers. Meanwhile the phishers are ramping up to tomorrow’s attacks. Given that phishers can migrate their model within the month, banks can rollout a new security system in a year, and standards committees can bury themselves in a decade, time-based tokens are something it would be best not to standardise. IMO!


  8. Howdy Gerv,

    Sorry, but I don’t think that works – the major advantage to the key fob is that it cannot be duplicated; in your scheme it is designed that a trivial SIM reader could garner this super-secure seed. Woops.

    – Your “Fob” could supply – an accurate time, the screen and battery power.
    – However, your “SIM cards” needs to include processing (taking the input time and generating the secure number) and self-destruction.

    I’m not sure how small these “SIM cards” could be shrunk.

    It seems likely that your phone already offers all the abilities of your “Fob”, so could be an interesting starting point. But I quite like the idea of using the mobile phone in different authentication ways, as Mr Nixey suggested.

  9. Alan: I was anticipating doing the processing in the “pin”, just as current security tokens do. sorry if that wasn’t clear.

  10. I know that the article mentioned a bank in Sweden using one-time codes. Fortunately, that’s not mine. One bank has a device like a small calculator where you have to enter your personal PIN code to unlock it, and then enter a code from the banking website to decode it. This process is to used to access the banking site, and to process certain transactions. The other uses a little SIM-card chip on your card, and a keychain decoder, though that’s only for signing certain transactions. (You have a different PIN code to access the banking site). While I like the first device better than the second, there is a problem with these devices: it locks out most disabled people from using the online site. I have to pay the bills since my wife is totally blind.

  11. I always wonder how POP is going to be handled in a 2 factor world. Right now Thunderbird polls for my new messages every 10 min, because it stores my password. Am I going to have to enter in a new token for every email fetch?!

  12. To me, the end all solution to the excess fob (or SecurID) issue would be a standard XML Schema to describe a matrix of passcodes and their validity time frame (VTF). Then the consumer can decide what kind of device they would like to carry for accessing this information. They could decide how many accounts should share a single passcode matrix, how long the passcode is, and how long the VTF is.

    The open market would allow for an unlimited number of software based and hardware widget based management solutions. I know people that carry more than 5 fobs or rfid devices. Since their use is continuing to grow. I think a single Rolex that could replace upto, say 20 of these, would be very popular.