Skip to main content

features-and-functionality-for-consumer-acceptable

Anton Chuvakin posts a response to this post about the PayPal tokens. These posts point out a number of desired features for broad-based consumer roll-out of two-factor authentication, such as the hope for a single token to work everywhere. but fail to mention that token won't stop phishing (one of the commenters does point that out).

For some reason, there is very little understanding about how to fight the phishing problem, even among technologist and technology writers - that write about phishing! It is very frustrating to me that no one seems to be able to match both desired features for a broad, consumer-based roll out and the security required to fight phishing. So here you go:

Here is a list of desired features:

  • Users should be able to choose the token form of choice.
  • The token should be able to work across multiple services.
  • The token should be replaceable.
  • Apparently, users don't mind paying for it, if it is less than $5.

The problems with using typical, shared-secret tokens for broad consumer-based applications are:

  • They don't stop phishing, attacks will just become automated.
  • Since you can't securely share a shared secret across multiple servers, some form of federation is required. This is problematic for companies that want to maintain control of their security and user databases and for users who value privacy.

So here is my list of the required features and functionality for consumer-based two-factor authentication:

Hmmm, did I miss anything?

Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom