No Such Weblog

My bank has gotten two-factor authentication badly wrong: In a move to have "what you know" and "what you get", they've introduced "TAN cards". These cards have a login and a 12 letter code printed on them. For each login, you need to type in three randomly choosen letters. In addition to that, you have to enter a password; this is also used to confirm every single transaction.

Leaving the fact aside that nothing in these "TAN" cards is transaction-specific, the "system" is topped by demanding that the password is at least 10 characters long, and high-entropy -- and that is even enforced.

The result? Pretty much nobody can memorize a high-entropy password with 10 letters reliably. Hence, the system degenerates into two times "what you have."

Remember: If you want to do "what you know" style authentication, make the shared secret something that people *can* know.

I'm in New York, co-chairing the W3C Workshop on Transparency and Usability of Web Authentication. Quite a lot of interesting discussion so far; we'll have minutes and a report shortly after the workshop. Phill Hallam-Baker is sitting across the aisle, and blogging in more detail than I can.

Incidentally, the sight from the workshop location is marvellous.