Shostack + Friends Blog Archive


Banks issue 2 factor auth

There’s a story in today’s CNET about banks issuing authentication tokens (like SecurID cards) to customers to address customer authentication issues.

While these are useful, insofar as they will make phishing harder, they won’t stop it. Phishing will transform into an online, at the moment crime, which will be easier to catch, but work by Amir Herzberg and Ahmad Gbara or Ian Grigg demonstrates how to solve the problem. (Having the browser remember certificates could also help.) For what banks will spend to ship and support these id tokens, they could fix the browsers, and require upgrades, like they used to for 40-bit SSL.

If you’re going to use a token, its worth considering something like the WikID ones, which are mobile-phone based.

Oh, wait, I’m repeating myself. Dang.

One comment on "Banks issue 2 factor auth"

  • Nyms sighted in authentication software

    The use of the nym is seeing a little bit of a revival, driven by the onslaught of chat as the future means of communication for anyone under 30. Over on Adam’s more prolific blog there is word of a…

Comments are closed.