"Three factor" authentication

It is truly amazing how human nature prevails. As much as we try to change, rule and regulate human behavior, there are examples in every field.

It is a known fact that when tax rates increase about a certain threshold, revenues begin to drop as evasion becomes more common place. The fiercest regimes are usually the ones that fall quicker.

But this blog is not supposed to be about sociology or politics, but about technology and management and in reality the issue that prompts me to write this time is the obsession of some IT Security departments to implement every single possible "best practice" as security measures. Two-factor authentication is one and the most common version is the security token, so this guarantees the unbreakable duet: something you know (the password) and something you have in your possession (the token). So when you put these together you have successfully authenticated yourself. This is not a new concept and it has been used ancestrally, just remember the stories that verse about tattoos or moles, passwords and objects that would identify a king, a priest, or a knight.

Changing passwords and setting up rules to construct valid and secure passwords is also a good idea, the problem arises when these rules restrict dramatically the number of words the user can choose and effectively remember. When combined with a stringent requirement for changing them too frequently together with a strict no re-use policy, these policies can be counter productive as they make it almost impossible for the user to commit multiple and random letter/number combinations to memory.

I see this trend quite often, where most users have to identify themselves with a "THREE-FACTOR" authenticate method: The Token, the Password and the piece of paper where they wrote down the password and how to login.