Comments on: Security questions and cheese-o 3+ “factor” authentication

By: cote

cote — Fri, 23 Feb 2007 15:33:14 +0000

Good any ideas for those browser changes? ;)

By: Mark Cathcart

Mark Cathcart — Fri, 23 Feb 2007 04:42:24 +0000

Bank of America has been asking you to verify your “site key” plus a user chosen text phrase for almost 2-years now.

You are presented with the user chosen image and phrase and then asked for the equivalent of a user chosen password. For me it’s the best of a bad bunch.

Sure, I’d like some form of 3rd party authentication that doesn’t allow the server I’m connecting to to know anything about my authentication, but will allow me to connect when authenticated log me on.

However, usually when I give this any real thought, I can think of 10-reasons why this isn’t such a good idea. It needs a seed change in the way browsers are built in order to make me think we could pull this off.

By: cote

cote — Thu, 22 Feb 2007 20:54:05 +0000

Thanks for looking that up a leaving the pointer, Mark. Awesome!

By: Mark Wahl

Mark Wahl — Thu, 22 Feb 2007 18:39:12 +0000

The ‘law’ you’re thinking of is probably the FFIEC guidance on authentication for Internet banking. “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.” The focus of the guidance is on risk assessment and management, not so much on user experience. There’s probably scope for some usability studies as the different techniques (OTP token, scratchcard, image, secret question etc) have found deployment.
http://www.ffiec.gov/pdf/authentication_guidance.pdf

By: cote

cote — Thu, 22 Feb 2007 15:24:19 +0000

Richard: I agree, as the rest of the post hopefully shows. What I was meaning — and hoping to point out with the “technologically” prefix — was that it’s a nifty idea from a purely code monkey context. Usable and nice for end-users, now that’s whole ‘nuter sotry.

By: Richard G Brown

Richard G Brown — Thu, 22 Feb 2007 09:18:51 +0000

[on the new scheme that asks people to look for a specific image and, if it's not there, to become suspicious]: “to his core point, technologically, it’s nifty and fun.”

I’m not so sure it is. We have to remember that the vast majority (let’s say “all” to the first approximation) of internet users are busy people for whom a log-on screen is an irritation. It’s stopping them from doing the task they really want to do.

I don’t see how a security mechanism that relies on one spotting the *absence* of a step in a process is going to work: people just won’t notice. Or if they do, will probably just think to themselves: “neat! They got rid of an annoying step. I can do my banking more quickly!”

By: Ric

Ric — Thu, 22 Feb 2007 07:14:17 +0000

Notice you’re using the same bank as me - fun isn’t it? My wife has the same trouble as yours …

I can’t wait until web identity is sorted a hell of a lot better than it is now.