Ina Fried over at CNET got in touch with me late last week to talk about two factor authentication, based on my previous post on the subject. A dozen emails later, Ina has published his piece (a nice overview and update, actually) and was kind enough to reference some of our email conversation.
Obviously the piece doesn’t reflect my full perspective… and, in fact, doesn’t touch on several issues that I think are rather important. But as a blogger, I can solve that by simply adding on to Ina’s published story (by extracting my thoughts from the original email thread):
- The username and password couplet has been the standard online since BBS’s in the 80s!
- Since that time, the variety and quantity of activities we conduct online (and the corresponding info we input and generate) has changed dramatically (online shopping, banking, credit checks, dating, etc)
- ‘New’ activities like blogging and social networking, and new identity paradigms like Sxip.com, put additional pressure on the username/password couplet
On the other hand, it’s very important to realize that a lot of security issues are not related to someone finding, guessing or coercing your username and password, but from:
- Outside attacks against a company’s servers and user database
- Company insiders stealing sensitive information
- End users willingly giving information to criminals (email phising and other con games
- Malware (spyware et al) resident on your PC
So, while I’m a supporter of two-factor authentication and similar schemes, I understand that it is only one component of a long overdue overhaul of online security.
Ina replied to the above with three questions (answers inline):
For which of the following would you want to use a token or other two-factor authentication key
(anything else you want to call out)
The devil’s in the details here, so think tactically for a moment.
I want service providers to think through their site design and service offerings, and implement token usage in the appropriate places, and at the appropriate times and places. What’s appropriate for one type of business and usage pattern may be very different from another. Additional friction in service provisioning hurts everyone; intelligent design can mitigate much of the downside.
Would you be willing to pay any extra for a token (either one-time or monthly). If so, how much.
Wait…You want me to pay so that I can use your service safely?! Am I getting this right?
Would you be more willing to carry a first token then the second bank or whoever that was offering it?
This is a big question. From a consumer convenience perspective, the argument clearly says “one common token”.
The problem of course, is that from a privacy perspective, you’re effectually issuing a new personal GUID.
And who controls that, how it is shared amongst providers, and what regulation surrounds it, is an even bigger question.