« January 2006 | Main | April 2006 »

March 2006 Archives

March 10, 2006

Two-factor authentication gone wrong

My bank has gotten two-factor authentication badly wrong: In a move to have "what you know" and "what you get", they've introduced "TAN cards". These cards have a login and a 12 letter code printed on them. For each login, you need to type in three randomly choosen letters. In addition to that, you have to enter a password; this is also used to confirm every single transaction.

Leaving the fact aside that nothing in these "TAN" cards is transaction-specific, the "system" is topped by demanding that the password is at least 10 characters long, and high-entropy -- and that is even enforced.

The result? Pretty much nobody can memorize a high-entropy password with 10 letters reliably. Hence, the system degenerates into two times "what you have."

Remember: If you want to do "what you know" style authentication, make the shared secret something that people *can* know.

March 15, 2006

Security Usability Workshop

I'm in New York, co-chairing the W3C Workshop on Transparency and Usability of Web Authentication. Quite a lot of interesting discussion so far; we'll have minutes and a report shortly after the workshop. Phill Hallam-Baker is sitting across the aisle, and blogging in more detail than I can.

Incidentally, the sight from the workshop location is marvellous.

About March 2006

This page contains all entries posted to No Such Weblog in March 2006. They are listed from oldest to newest.

January 2006 is the previous archive.

April 2006 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.35