About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Driving forwards | Main | Who will save the Internet! »

Two fingers to two factor

By davebirch posted Dec 30 2006 at 11:46 AM

[Dave Birch] I know it's rather trite to point this out, but moving to stronger authentication of digital identities does not by itself automatically mean more "security" unless the human factors are taken care of.  Here's a post I came across while looking for something else to do with a project I'm working on.  It comes from inside a large banking organisation that has adopted two-factor authentication for remote access to corporate resources -- surely a sensible policy to protect shareholders' investments.  The person in charge of this shift writes to the staff:

I know there have been a lot of complaints about the new RSA tokens that we've issued, in that it's a bit of an inconvenience to carry your laptop AND an RSA token on your key ring. Here's a solution that will help you keep them together. Get a bigger key ring (we've got a handful, first come first serve) and put the token on  the key ring using the small diameter ring on the token. Insert the laptop's power cord through ring, make a half hitch loop on the cord, fastening the bigger ring to the cord.

In other words, tether the token to the access device that's at risk.

Technorati Tags: , ,

The guy even provides a useful picture to show bankers how to ensure that if they lose their laptop then vital corporate information will go with it.  And I'd bet a pound to a penny that half of them have stuck their username and password on a post-it and sellotaped it to the laptop as well.

Does this mean that two-factor token-based authentication can never work?  Of course not.  But what it does mean is that if we don't find ways to make two-factor authentication go with the grain for the users (perhaps by making the token something that they always have with them such as a mobile phone or a contactless card in their wallets) then they will always find ways to subvert it, leaving the impression of greater security but no actual greater security.

My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]


Dave, fyi - software and mobile phone tokens are available today and they do make life easier for some people. Others prefer physical tokens for various reasons.

The comments to this entry are closed.