Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS to Trade Passwords for 2-Factor Authentication

Posted by timothy on from the something-borrowed-something-blue dept.

Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."

5 of 449 comments (clear)

  1. Two Factor Authentication. by pavon · · Score: 4, Informative

    For those who don't know, in two-factor authentication the two factors are "something you have", and "something you know" - usually a smartcard/token/key and a pin/password/passphrase.

  2. What Is Two Factor Authentication? by MBraynard · · Score: 5, Informative
    To review, two-factor authentication consists of:

    Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.

    Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.

    Source.

  3. Re:A question worth asking by Sycraft-fu · · Score: 5, Informative

    A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:

    Something you have (a key, a smartcard)
    Something you know (a password, a PIN)
    Something you are (a fingerprint, a voiceprint)

    It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.

  4. The point is not that TFA can fail... by datastalker · · Score: 4, Informative

    ...but that it makes it more difficult for the less technical/smart/talented criminals to get into the crime.

    Right now, any idiot with an "HTML for Dummies" book can set up a site that looks like a banks', and just about anyone knows how to send an email.

    With two factor authentication, the techniques that Schneier talks about (MITM, and Trojan) are more difficult to implement, making the crime more difficult, and "weeding out" those criminals who are less likely to pursue the crime in the face of more difficult technology and/or an increase in learning and/or time.

    --
    Find out about the Lexus Rx400h Hybrid!
  5. Two way authentication works today by tliet · · Score: 4, Informative

    Almost all Dutch banks use 2 way authentication for internet banking. I've been using it since 1997 at the Rabobank, the biggest internet bank in Europe. First with just a token calculator, now with a token calculator that also needs the actual bankcard to work. You insert the card (it has a chip) and it asks you to enter the pin. It will then generate a code that will work to log on to the banking website.

    After you've set up a couple of transactions you'll need to authorise again (with pin) for the bank to get them processed. This time with 2-factor authentication.

    This way, a man in the middle attack as Schneier describes is a little less likely since one knows exactly when one is authorising a transaction or merely logging in.