« January 26, 2006 | Main | March 15, 2006 »

March 10, 2006 Archives

March 10, 2006

Two-factor authentication gone wrong

My bank has gotten two-factor authentication badly wrong: In a move to have "what you know" and "what you get", they've introduced "TAN cards". These cards have a login and a 12 letter code printed on them. For each login, you need to type in three randomly choosen letters. In addition to that, you have to enter a password; this is also used to confirm every single transaction.

Leaving the fact aside that nothing in these "TAN" cards is transaction-specific, the "system" is topped by demanding that the password is at least 10 characters long, and high-entropy -- and that is even enforced.

The result? Pretty much nobody can memorize a high-entropy password with 10 letters reliably. Hence, the system degenerates into two times "what you have."

Remember: If you want to do "what you know" style authentication, make the shared secret something that people *can* know.

Posted by Thomas Roessler on March 10, 2006 5:09 PM | | Comments (1) | TrackBacks (0)

Search


About March 2006

This page contains all entries posted to No Such Weblog in March 2006. They are listed from oldest to newest.

January 26, 2006 is the previous archive.

March 15, 2006 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.35