More Action from TriCipher

TriCipher's been in the news a lot lately, and that's good for them and for the whole multifactor movement. We like to see pickup on this technology, no matter whose it is.

http://internetcommunications.tmcnet.com/topics/broadband-mobile/articles/7666-tricipher-takes-identity-theft-prevention-mobile.htm

This article discussed the fact that they've released a USB-based solution, something near and dear to our hearts, because we also use a USB-driven system at Enterprise-in-a-Flash (http://www.enterpriseinaflash.com).

I'm concerned about the fact that they're allowing for customer self-provisioning. I'm not sure a bank would let you self-provision your ATM card onto any blank card you could get your hands on, and I'm not sure it makes sense to trust a user-provisioned authentication factor that they've put onto any unknown USB drive. But I'll have to see more about this before making a final judgment.

Another Great Example

This blog entry by Dave Jevans presents another excellent example of a case where multi-factor authentication would have been valuable in preventing a costly security breach.

http://blog.ironkey.com/?p=136

Interestingly, the comment at the bottom of the page indicates that multi-factor authentication systems are vulnerable to Man In The Middle attacks. While that's true for the traditional One Time Password devices like RSA SecurID, it's not the case for more modern systems, including (shameless plug coming) the USB Flash Key based system offered by Enterprise-in-a-Flash (www.enterpriseinaflash.com), as well as numerous other innovative solutions on the market today. I'm hoping people start to learn more about the options and see that the market is responding to the requirements...

Alternative Authentication Methods

This article is a great primer on non-hardware multifactor authentication - things like face identification rather than passwords, voice pattern recognition, typing pattern recognition, etc.

http://www.networkworld.com/research/2007/060407-multifactor-authentication.html?page=1

While these methods sound innovative and flexible, I remain somewhat skeptical - if someone tries hard enough, there must be a way to spoof a voice or typing pattern, for instance. I don't pretend to know how, but I've got to assume it exists.

For my money, I'd look at these methods as 3rd factor authentication mechanisms, and stick with a solid hardware token - back to the "online ATM card" analogy - as my primary authentication credential.

Banks Still Don't Get It

This article discusses the ongoing problems in the banking industry as they attempt to comply with guidance requiring multifactor authentication for their websites.

http://www.emediawire.com/releases/2007/6/emw530454.htm

Asking a bunch of questions, or even requiring users to type in One Time Password codes, simply doesn't get the job done. A true cooperative authentication process is the only way to accomplish the goal, using something the user has in his or her possession to anchor one end of the authentication protocol.