I had an annoying problem with my PayPal account that ended up with me being posted a password, all quite tedious and strangely manual. As I observed at the time, it seemed odd that in 2011 we hadn’t got anything figured out when it comes to authentication. Why couldn’t I use my Barclays 2FA PINSentry to prove who I was to PayPal? In fact, why couldn’t I use it for 2FA in general, since moving from passwords to 2FA involving tamper-resistant hardware would be a simple way to improve security across a range of services. We don’t use 2FA, and we should.
But that might be changing [recently] Google launched two-factor authentication for Google Accounts—the credentials you use to log in to all Google services, including Gmail.
This is a good step. I use gmail, and I’d actually prefer to use it with 2FA than without, provided that the 2FA is based on something I already have, such as my phone, because I don’t want to carry another dongle. Unfortunately, my mobile operator doesn’t provide any sort of identity management or authentication services, so I can’t use my phone. I do already have a tamper-resistant chip that I have with me most of the time, and that’s in my bank card. Why not use that in some way?
Alternatively, you could slide your credit card through your phone’s card reader—or simply wave your credit card so that it can be recognized by the “near-field communication” chip in your phone.
Are these things too far out?
I’d say not really, especially since I’ve seen SecureKey‘s system for doing just this work perfectly with Google, using a USB key NFC reader and the customer’s contactless bank card to provide the second factor. Today I read about someone pitching iris recognition via USB device as a potential third factor as well. But are three factors enough?
I saw a discussion over at the Identity Management Specialists Group on LinkedIn that set me wondering about authentication factors. Traditionally, us experts have referred to three authentication factors: something you know, something you have and something you are (or, as Ben Laurie once told me, something you’ve forgotten, something you’ve lost and something you were). The LinkedIn discussion was about whether location might be a fourth authentication factor, because it is independent of the other three and can be determined in isolation.
So does this make sense? Is location an alternative third factor, another kind of “something you are” or is it genuinely something new that adds an additional degree of authentication power. The conclusion in the group discussion was (I think!) that location isn’t an authentication factor because where you are doesn’t change who you are, but that it is an authorisation factor because you may wish to assign different capabilities to an identity depending on where the physical person is (ie, are they in the office or at home?). I’m not so sure about this: it seems to me that corroborating your location obtained from your mobile phone with, say, a password, does indeed strengthen authentication. There are plenty of options, so a workable strong authentication scheme must be getting closer. right?
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]