Two-Factor Authentication: Too Little, Too Late?

Two security experts debate whether two-factor authentication can handle today's network attacks.


By Bruce Schneier

Recently I published an essay arguing that two-factor authentication is an ineffective defence against identity theft (see For example, issuing tokens to online banking customers won't reduce fraud, because new attack techniques simply ignore the countermeasure. Unfortunately, some took my essay as a condemnation of two-factor authentication in general. This is not true. It's simply a matter of understanding the threats and the attacks.

Passwords just don't work any more. As computers have got faster, password guessing has got easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there's an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can't be guessed. For anything that requires reasonable security, the era of passwords is over.

Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea.

What two-factor authentication won't do is prevent identity theft and fraud. It'll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We're already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.

Security is always an arms race, and you could argue that this situation is simply the cost of treading water. The problem with this reasoning is it ignores countermeasures that permanently reduce fraud. By concentrating on authenticating the individual rather than authenticating the transaction, banks are forced to defend against criminal tactics rather than the crime itself.

Credit cards are a perfect example. Notice how little attention is paid to cardholder authentication. Clerks barely check signatures. People use their cards over the phone and on the Internet, where the card's existence isn't even verified. The credit card companies spend their security dollar authenticating the transaction, not the cardholder.

Two-factor authentication is a long-overdue solution to the problem of passwords. I welcome its increasing popularity, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they'll stop advocating stronger authentication measures and the sooner security will actually improve.

Bruce Schneier is CTO of Counterpane Internet Security Inc. and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can read more of his security writings at


By Joe Uniejewski

Every day, two-factor authentication - ATM-style identification combining the use of something you know (a password) with something you have (a token) - proves itself to be an essential part of broad-based information security systems, mitigating multiple threats, and protecting identities and information assets. While never claiming to be information security's silver bullet, strong two-factor authentication plays a crucial role in protecting vital data.

In the fight against Internet crime, the static password is the user's worst enemy. Two-factor authentication eliminates the risk of most phishing attacks, which rely on the mass harvesting of identity and account information for "replay" later. Two-factor authentication also prevents user impersonation through guessed passwords or with passwords harvested from other sites - a prominent issue today as users struggle to manage multiple passwords across various online accounts. To suggest that two-factor authentication is useless because it doesn't directly prevent real-time man-in-the-middle attacks - in which the attacker sets up a fake Web site to which he lures users who then unwittingly enter their personal information - implies there is a fix-all solution that will solve the problem.

Users need a convenient, reliable way of recognizing when it's safe to provide a credential to an application, and of verifying that the application is authentic. Along these lines, RSA Security has been exploring new ways in which the browser and operating system interfaces for user authentication can be strengthened. We are working with other leaders in the industry to raise the standard for authentication interfaces and, in particular, the protocols for authentication exchanges with Web sites. These improvements, along with protections against various forms of malware, will go a long way toward addressing the legitimate concerns raised by man-in-the-middle attacks. More importantly, they will help to ensure ongoing consumer confidence in e-commerce.

Strong two-factor authentication has proven itself to be a highly effective means of protecting corporations and individuals from a multitude of cybercrimes, in both business-to-business and consumer applications. In conjunction with the other developments outlined above, two-factor authentication is more necessary today than ever - the reason why organizations such as the National Institute of Standards and Technology, the Federal Deposit Insurance Corporation and Microsoft have identified it as the way forward. The idea that it does nothing to protect against identity theft is not just incorrect - it's recklessly defeatist. Like a doom-merchant advocating there is no point in locking your front door if you live in a war zone, detractors are missing the obvious point that there are dozens of threats out there - and no one solution will prevent them all.

Let's work together to ensure the promise of trustworthy online commerce - and direct our strongest response at those who are capitalizing on current security weaknesses, rather than those who are investing in fixing them.

Uniejewski is CTO and senior vice president of corporate development at RSA Security. He can be reached at

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about CounterpaneCounterpane Internet SecurityFederal Deposit InsuranceHISMicrosoftPromiseRSARSA, The Security Division of EMCSecurity Systems

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bruce Schneier & Joe Uniejewski

Latest Videos

More videos

Blog Posts