Jean-Louis Seguineau wrote:
antecipate: Simple factor is better than two-factor authentication
password authentication is inefficient because passwords are available all over the corporate and extra corporate spaces
I have to strongly disagree with this statement. The article you reference aside, two-factor authentication can be simple. But I propose that it’s even more important in our homes than it is in the corporate space (where I do in fact use two-factor authentication to VPN into the office). Why? Identity theft. You won’t change hunmans, you are right, but this means the passwords that humans use won’t get any better. But if biometrics were commonplace, it would literally be impossible to sniff someone’s password and get into their online banking.
Security is too often made too hard, but rather than give up, we should challenge ourselves to make better security solutions.
That’s complete bollucks. Biometrics are no more safer from sniffing than a good ole password. They’re actually less safe since you can’t exactly change your fingerprint, DNA, or iris pattern. The only place biometrics are safe is on something like Eutron’s BioToken in which your fingerprint is used to unlock a private key on a crypto token.
Two factor authentication still is not the silver bullet for identity theft. What if you sniffed your password and then stole your second factor? I’m still in.
Something like a BioToken, where you enter your pass-phrase on a trusted device dedicated to encryption, is the most secure method available.
Hal,
This kind of disagreement is what makes life enjoyable
In essence, I was not at all implying that password based authentication is flawed or insecure in itself. I was just telling that it is not human friendly. Because of this, in many cases, especially in the entreprise, passwords are either easily guessable, or written down for remembering them.
A password is only as strong as it is known to a single person, right? It gives me the proper protection when used in my own controlled environement. In the entreprise, you will find that a large number of help tickest are linked to passwords (lost, forgotten, etc).
My point was to “humanize” the authentication process rather than forcing human to memorize “machine” friendly password, which the majority of humans can’t do.
As I pointed out, an authentication based on graphics presented to be recoginsed by humans would provide a better level of protection than todays passwords in the HUMAN/MACHINE relation. It would be very difficult for a machine to analyse a complex mosaic of images and decide which one relates to the user. Passwords can still be used between machines, no problem.
Before trying to layer another factor of authentication, we would be better off understanding why pasword authentication only cater for 20% of the cases of safe authentication.
All the points you mention are relevant and I agree with many of them, certainly with the threats.
But my point is beyond the technology into the usability.
Jean-Louis