European vs. U.S. 2nd factor acceptance
In an interesting article this week by David Berlind on why the Europeans have adopted true 2nd factor authentication vs. the U.S., David Berlind references a Q&A chain with Mark Diodati of Burton Group. The first article in the chain is on What is Multifactor Authentication? and I’d like to draw your attention to the second question: Many European security experts believe that multifactor authentication is essential for securing online consumer applications, but in the United States few banks or other financial institutions use it. Why is this?. Mark Diodati’s response is actually very interesting and not something of which I was aware.
I would however, suggest an additional idea: Higher European adoption could also be influenced by the difference in privacy laws and just general sensitivity to privacy in Europe vs. the U.S. Liability is a strong motivator. I’ve long held that U.S. institutions are concerned about protecting the transactions and hence, themselves vs. worrying about actually protecting the end-user. The end-user could be compromised and have their identities stolen or fraud perpetrated on them in a variety of ways due to a breach of an online account, but so long as the bank doesn’t incur a loss by reimbursing a customer for a $500 fraudulent transaction, the bank is satisfied. They are apparently managing this fraud loss ratio satisfactorily or they would definitely be pursuing more stringent mechanisms or having it forced upon them more explicitly than the weak FFIEC Guidance from 2005. This comes down to the difference between guarding against fraudulent transactions vs. the broader protection of user’s data; transactional, identity, etc.
Certainly there also appears to be a greater resistance by Americans to anything that smacks of inconvenience. The numbers are plain and straightforward that for every change you make to an online experience, users click away, stop and pick up the phone, etc. All things to be avoided if you’re trying to build an online channel and keep support costs low. Understandable.
However, like David Berlind, I’d be very happy to use a true 2nd factor authentication mechanism. In fact, I’ll change banks to get true strong authentication and move to doing much more online business ever after at that bank. I suspect that Mr. Berlind would put an OTP (One Time Password) into that category, but if you’ve read my blog or paid much attention to the reality of the man-in-the-middle threat, you’ll hold out for a true 2nd factor and not just another single factor (what you know). Remember that two passwords don’t make an actual second factor, even if one is only useful for a short while. Yes, I know that is a contentious statement and out of step with the mainstream view of OTPs, but I believe the realities of 2007 back it up.
By failing to offer stronger authentication and other security options and merely sticking with the bare minimum, U.S. institutions fail to capitalize on the opportunities for competitive advantage and increased online usage by a key target audience: The technology savvy early adopter. I haven’t looked up any recent studies on it, but I suspect this group comprises the mythical ‘influencers’ as well and probably have above average incomes, bank balances and credit card usage rates.
I’ll cover the next Q&A article in the chain with Mark Diodati in my next post. It covers password hardening.
September 16th, 2007 at 7:51 pm
I’m not sure why OTP wouldn’t be good for you. Yes, an OTP can theoretically be snaked by a MiTM attacker but for *you*, a security knowledgeable person to have an issue, you’d either have to get malware involved, or you’d have to ignore things like SSL warnings, etc.
If you’re worried about users in general, then yes, I can see potential issues with OTP. If you’re thinking just about yourself, then perhaps the risks of an OTP solutions are overblown?
If you’re being owned by local malware that spoofs you, reads the OTP, etc. its isn’t very likely that something like a smartcard would fare much better than an OTP scheme.
September 18th, 2007 at 11:05 pm
Andy, thanks for the comment. I have been a long-time OTP hater ever since I was asked to implement them and then use them when I worked in IT at a bank. That was a long time ago and a completely different world before the rise of the e-commerce internet and anyone considering Ma & Pa Smith being issued OTPs.
Today, I am still an OTP basher because they give a false sense of security. An attacker does not need to have malware locally on my PC to compromise my OTP. These are not theoretical attacks, but real, live, “in the wild” attacks being carried out today. RSA themselves are touting their discovery of MITM kits available for any script kiddie with a dream of accessing and using.
The jump from compromising OTP protected authentication to compromising a smartcard or PKI digital credential (to be more generic) is a much higher jump requiring at least a footprint within the local browser itself vs. existing purely on the internet. Certainly, I agree with your point that at some elevated level of local device compromise, there is no defense, OTP, smartcard, biometric, etc.
September 22nd, 2007 at 9:45 pm
My point was really that if you’re doing SSL and *you* are properly authenticating the endpoint via SSL certificates (not mutual auth mind you) then they are perfectly secure as an authenticator. *You* aren’t going to get MITM’d. Regular users are potentially… but that isn’t an indictment against all forms of OTP, just for using them in certain circumstances - over non-authenticated channels for example.