How much is that 2FA token going to cost you?securenvoy 10/03/2011, Archive
Is the conventional ID and passphrase combination dead?
Possibly. Well, ever since sites started generating 12 character passphrases with upper and lower alphabetics and numerics, meaning that even Dustin Hoffman (Rainman) would have difficulty memorising the string, it probably has.
Whilst sales of post-it notes have also probably risen, a growing number of Web portals involving people's hard-earned have started using two-factor authentication to secure the electronic pc premises.
HSBC is the latest to join these ranks (http://bit.ly/hvoB8H), issuing around four million of its account holders with wallet-sized devices that generate one-time numeric strings that are valid for around 60 seconds or so, before refreshing the access code. Not too green in our opinion though!
But adding a card to someone's overloaded wallet or purse isn't going to ingratiate HSBC’s customers, many of whom will probably leave the card in their desk drawer at home or work, in order to make life easy when accessing their e-banking account.
The irony of this is that the HSBC token has become the electronic equivalent of a yellow post-it note. Oops.
Double oops when the bank starts refusing to pay out if users’ computers are infected, and their 2FA PIN was used to drain their money in an Eastern Europe-ly direction.
How will they know if users' PCs are infected? Simple, they have exhorted users to download in-browser security software for some time.
"What do you mean you didn't use Rapport AND left your 2FA card in your desk drawer at work? No wonder your account was electronically ransacked," said the bank. Probably.
Actually, HSBC isn't alone in this regard. Many other organisations are switching to 2FA technology, with Google actively encouraging its users (http://bit.ly/hgyL6u) to tap the security of the 2FA tokens to securely access their Gmail accounts using a smartphone.
The process is rather Dilberteqsue, but it can be done.
But hold on a minute, why do you need a 2FA token when your mobile phone can act as a tokenless electronic authenticator?
With the latest smartphones boasting a 1GHz processor, and dual-core iPad2-alike processors following now on the smartphone horizon, there really is no reason not to tap the power of a smartphone to authenticate someone.
Some Irish banks are already using voice authentication as a means of allowing staff to recover their passwords and so helping to keep their IT helpdesks sane.
The smartphone, however, is actually a highly useful piece of kit when it comes to tokenless authentication. The reason is that the latest iPhones and Android devices are as powerful as computers were a decade ago - which is actually very powerful indeed.
It also means that, since most of us treasure our mobile - not only for bling purposes, but for the data and content it contains - and notice it is missing in a short while with 1 in 3 noticing within 15 minutes then the mobile phone is lot more cherished than an electronic equivalent of a post-it note.
I reckon if Carlsberg were to make 2FA they probably would have called it SecurEnvoy SecurAccess.