Security expert Bruce Schneier recently criticized two-factor authentication, which is designed to improve security by pairing passwords with a second test such as a thumbprint or physical token. This week, he took pains to clarify his position with a defense of the technology as useful if not a cure-all.
In the earlier essay, Schneier said two-factor authentication "solves the security problems we had 10 years ago, not the security problems we have today." Phishing and Trojan horses, for example, are attacks that rely on weaknesses beyond the issue of whether a particular computer user is authenticated.
Schneier's stance was significant, given the embrace of two-factor authentication by influential companies such as Microsoft. But this week, Schneier issued a defense of the technology.
Two-factor identification won't prevent identity theft or fraud, Schneier said on his blog this week, but it is a "long-overdue solution to the problem of passwords," he said.
"It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea."