Two-Factor Part II – OpenID, VeriSign PIP and PhoneFactor

As you may already know, I am a huge believer in two-factor authentication.  You should keep in mind that two-factor authentication is not the absolute answer to Internet security problems.  It is critical that you keep your computer patched with current antivirus software and that you browse and use email with care.

I won’t get too much into the technology other than to say it involves using two of the three factors:  a) something you know,  b) something you have, and c) something you are. The majority of Internet two-factor authentication implementations use the first two factors, since determining something you are (such as a fingerprint or retinal image) involves considerably more logistics than is reasonable for a remote service.  The something you know portion of the system is trivial and widely accepted as username/password combinations.  Of course, password complexity is extremely important and will be the topic of a future post. That leaves us with something you have as the simplest and most common second factor.

It is worth noting that a second username/password combination can never be considered a second factor.  Theoretically, an infinite number of passwords is still part of something you know.  The primary reason that this is important is malware, particularly key-logging software.  This is the reason I am disappointed in PayPal’s two-factor implementation, as described in my previous post on the subject.  If you do implement two-factor authentication with PayPal, you should make sure you never bypass it or you risk exposing your account.

Continue reading