United States
Web App Attacks: Sneaking in the Front Door
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Huzzah! U. K. banks move toward two-factor authentication

And I say, now that they're heading in the right direction, I hope they hurry. Maybe it'll goad the U.S. into following suit.

ZDnet UK reported last week that British banks are close to agreeing upon a standard for using a physical device that each banking customer will carry. It generates a one-time-use password each time the customer needs to authenticate their identity (that is, prove who they are). The devices could be in everyone's hands in as little as nine months to a year.

Quick review: identity can be proven by

  • Something you know
  • Something you have
  • Something you are

Most of the systems we encounter each day make us prove our identity by "something we know" -- a password or a PIN. Requiring any two of the three points above is called two-factor authentication and can provide much stronger security than passwords alone, which are notoriously weak authenticators.

The U.K. move looks particularly enlightened when juxtaposed against recent U.S. security developments. Consumer database giants LexisNexis and ChoicePoint both revealed to a Senate committee that their systems have been breached many times, yet both companies withheld that fact from the affected customers. The personal records of 310,000 customers were compromised. ChoicePoint's President admitted there have been "45 or 50 breaches." A LexisNexis executive admitted that of breaches there, "All but 4 or 5 ... were due to compromised passwords."

Until further legislation compels U.S. businesses to be honest about their sloppy security practices, it's every consumer for himself.

Can you see why I think two-factor authentication is a good move? Even the lamest consumer can't compromise a one-time password he or she doesn't know. I'd rather have banks dealing with the fact that people might lose their authentication devices, than dealing with the fallout of blabbermouth employees or customers revealing passwords that jeopardize the private accounts of us all. Godspeed, U.K. banks! Wise up, America! -- Scott Pinzon

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.