« 4500 words? you ought to be kidding. | Main | Security Usability Workshop »

Two-factor authentication gone wrong

My bank has gotten two-factor authentication badly wrong: In a move to have "what you know" and "what you get", they've introduced "TAN cards". These cards have a login and a 12 letter code printed on them. For each login, you need to type in three randomly choosen letters. In addition to that, you have to enter a password; this is also used to confirm every single transaction.

Leaving the fact aside that nothing in these "TAN" cards is transaction-specific, the "system" is topped by demanding that the password is at least 10 characters long, and high-entropy -- and that is even enforced.

The result? Pretty much nobody can memorize a high-entropy password with 10 letters reliably. Hence, the system degenerates into two times "what you have."

Remember: If you want to do "what you know" style authentication, make the shared secret something that people *can* know.

Posted by Thomas Roessler on March 10, 2006 5:09 PM |

TrackBack

TrackBack URL for this entry:
http://log.does-not-exist.org/mt/mt-tb.cgi/1451

Comments (1)

Marcos:
I am tired of TAN Cards, indexed TANs and the solution-du-jour and am going for HBCI.

Posted by Marcos | March 13, 2006 9:20 AM

Posted on March 13, 2006 09:20

Search


About

This page contains a single entry from the blog posted on March 10, 2006 5:09 PM.

The previous post in this blog was 4500 words? you ought to be kidding..

The next post in this blog is Security Usability Workshop.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.35