Bruce On Two-Factor Authentication — And Why I Disagree
By Daniel Miessler on March 16th, 2005: Tagged as General
Bruce Schneier has come out with what I believe to be a major piece that speaks against the ability of two-factor authentication systems to stop phishing and other types of online fraud.
His main argument seems to be that two new types of active attack make it possible to capture even the dynamic passwords of common two-factor authentication systems. For example, if a user sends a password via a phishing exploit, and the attacker is able to capture it and use it at the bank site within the one minute window, then the fact that the authentication was two factor didn’t help anything. In his other point, an active trojan on the user’s machine could allow an attacker to piggyback on a legitimate transaction and transfer funds or whatever.
His final findings are that two-factor authentication is not a major, long-term solution to remote authentication over the Internet, and that in the long run it will have little effect on fraud and identity theft.
I disagree.
First off, the amount of automation for these password harvesting systems needs to be taken into account. For current systems, you send out an email and soon you have a massive list of valid usernames and passwords that you can use within a huge window of opportunity. This wouldn’t be the case anymore with a two-factor system. Using a system like that, you’d have to go through quite a bit of trouble to get the usernames and passwords entered within less than a minute of receiving them. This sort of thing could be automated obviously, but it actually requires that a live application live on the other end and take action immediately rather than being able to collect credentials and use them (and sell them) over time. This alone is a major hurdle, and will drive the cost of phishing up while driving the profitability of it down.
Secondly, having an attacker monitor a trojan and “actively” use it to hijack an online banking session has one major flaw: there aren’t enough skilled crackers to go around. If each case of fraud requires 1) an active, working trojan on the user’s machine, and 2) a willing and able human on the other end who happens to be there when the user logs into their banking site, then the number of possible attacks gets hamstrung pretty quickly.
Granted, the methods he mentioned are certainly threats, but to argue that they will be so effective as to return us to our current level of risk is not a tenable argument in my opinion.
