A couple of days ago I posted a note about a new trend in attacks on two-factor authentication systems. Bruce Schneier also has a post on this in his Schneier on Security blog. He argues, and I agree, that the fundamental issue here is that the two-factor approach is solving the wrong problem, that what is needed is to authenticate the transaction, not the user.
Credit cards are a perfect example. Notice how little attention is paid to cardholder authentication. Clerks barely check signatures. People use their cards over the phone and on the Internet, where the card’s existence isn’t even verified. The credit card companies spend their security dollar authenticating the transaction, not the cardholder.
To put it another way, the two-factor approach is fundamentally a defense against a particular type of attack: stealing or guessing passwords. Focusing on authenticating the transaction is more fundamental, in the sense that it is focused on preventing the crime (fraud) rather than on foiling particular criminal tactics.
This, of course, is primarily a job for the banks, rather than for their customers. I think it still makes sense for customers to take reasonable steps to protect themselves.
I think there is one more lesson to be learned from the credit card example. The card issuers started to take security seriously when legislation was enacted that put a $50 limit on the cardholder’s liability for fraudulent use in most cases. As I’ve discussed before, this removed an economic externality, and made the issuers, who are the ones in a position to address the fraud problem, responsible for the costs of not doing so.