It is truly amazing how human nature prevails. As much as we try to change, rule and regulate human behavior, there are examples in every field.
It is a known fact that when tax rates increase about a certain threshold, revenues begin to drop as evasion becomes more common place. The fiercest regimes are usually the ones that fall quicker.
But this blog is not supposed to be about sociology or politics, but about technology and management and in reality the issue that prompts me to write this time is the obsession of some IT Security departments to implement every single possible "best practice" as security measures. Two-factor authentication is one and the most common version is the security token, so this guarantees the unbreakable duet: something you know (the password) and something you have in your possession (the token). So when you put these together you have successfully authenticated yourself. This is not a new concept and it has been used ancestrally, just remember the stories that verse about tattoos or moles, passwords and objects that would identify a king, a priest, or a knight.
Changing passwords and setting up rules to construct valid and secure passwords is also a good idea, the problem arises when these rules restrict dramatically the number of words the user can choose and effectively remember. When combined with a stringent requirement for changing them too frequently together with a strict no re-use policy, these policies can be counter productive as they make it almost impossible for the user to commit multiple and random letter/number combinations to memory.
I see this trend quite often, where most users have to identify themselves with a "THREE-FACTOR" authenticate method: The Token, the Password and the piece of paper where they wrote down the password and how to login.
Showing posts with label three factor authentication. Show all posts
Showing posts with label three factor authentication. Show all posts
Monday, August 23, 2010
Tuesday, November 20, 2007
Useless typing...
I am pumping Gas at the station. And this time it is not the now expected high price per gallon that makes my mind wander.
I am paying by credit card, so I have been asked for a PIN.
I am always amazed about the random security measures I see. In late days, "two factor authentication" or even "three factor" has gained a tremendous momentum and is considered a must for certain applications such as remote network access. You can see the familiar "token card" dangling from peoples lanyards. But two (or three) factor authentication was also a very well known concept in the XVII century. In fact, much before than that, the Romans would already use some form of it. The "three factor" refers to features that can be produced to prove identity:
We have heard stories where the messenger shows a tattoo or a particular mole on his skin, or maybe shows a medal, a seal or just utters a password.
So it is not a new concept. How do we fail miserably at implementing it sometimes?
I am just ranting about this useless routine of entering my ZIP code at the pump when I swipe my credit card. It says "to prevent credit card fraud you are now required to enter the ZIP code of your billing address". Granted, it is "two-factor" authentication, it is something that is in my possession (the card), and something that I know (the ZIP code). That should make it stronger, Right?
Well, where the intentions fall to the ground is for the "Something that ONLY WE know". Haven't the security gurus at the banks thought about the fact that you usually loose your credit card WITH YOUR WALLET? Yes, where your Driver's License is merrily giving away your ZIP code....
I am paying by credit card, so I have been asked for a PIN.
I am always amazed about the random security measures I see. In late days, "two factor authentication" or even "three factor" has gained a tremendous momentum and is considered a must for certain applications such as remote network access. You can see the familiar "token card" dangling from peoples lanyards. But two (or three) factor authentication was also a very well known concept in the XVII century. In fact, much before than that, the Romans would already use some form of it. The "three factor" refers to features that can be produced to prove identity:
- Something that only we know
- Something that we possess
- Some feature on ourselves that can be shown
We have heard stories where the messenger shows a tattoo or a particular mole on his skin, or maybe shows a medal, a seal or just utters a password.
So it is not a new concept. How do we fail miserably at implementing it sometimes?
I am just ranting about this useless routine of entering my ZIP code at the pump when I swipe my credit card. It says "to prevent credit card fraud you are now required to enter the ZIP code of your billing address". Granted, it is "two-factor" authentication, it is something that is in my possession (the card), and something that I know (the ZIP code). That should make it stronger, Right?
Well, where the intentions fall to the ground is for the "Something that ONLY WE know". Haven't the security gurus at the banks thought about the fact that you usually loose your credit card WITH YOUR WALLET? Yes, where your Driver's License is merrily giving away your ZIP code....
Subscribe to:
Posts (Atom)
Posts
