MS to Trade Passwords for 2-Factor Authentication

Bret Tobey writes "During a security panel at CEBIT, Microsoft's Senior Director for Trustworthy Computing commented that Longhorn would abandon passwords in favor of two factor authentication. While it's hard to argue for keeping passwords, it does raise questions about where this could all lead. None other than Bruce Schneier pointed out how two factor authentication can fail us."

What Is Two Factor Authentication?

[MBraynard]

To review, two-factor authentication consists of:

Something you have: This factor includes keys, cards, tokens and so on. These things can also be stolen or lost. Something you have can also be known as "something you are," and includes physical or physiological characteristics such as a fingerprint or vocal patterns.

Something you know: Passwords and PINs are examples of this factor. It is important to note that this knowledge can be lost, shared or guessed by others.

Source.

Re:A question worth asking

[Sycraft-fu]

A password and a key, or a fingerprint and a smartcard, etc. Basically oyu have three ways you can authenticate yourself:

Something you have (a key, a smartcard)
Something you know (a password, a PIN)
Something you are (a fingerprint, a voiceprint)

It's much more secure to use two of those than it is to use just one. Each one has a failing, security wise, and it's different than the failings of the others. So if you use two, you make it much less likely that someone will be able to compramise your security.