Two-factor login not totally useless

Security expert Bruce Schneier recently criticized two-factor authentication, which is designed to improve security by pairing passwords with a second test such as a thumbprint or physical token. This week, he took pains to clarify his position with a defense of the technology as useful if not a cure-all.

In the earlier essay, Schneier said two-factor authentication "solves the security problems we had 10 years ago, not the security problems we have today." Phishing and Trojan horses, for example, are attacks that rely on weaknesses beyond the issue of whether a particular computer user is authenticated.

Schneier's stance was significant, given the embrace of two-factor authentication by influential companies such as Microsoft. But this week, Schneier issued a defense of the technology.

Two-factor identification won't prevent identity theft or fraud, Schneier said on his blog this week, but it is a "long-overdue solution to the problem of passwords," he said.

"It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea."

About the author

Stephen Shankland has been a reporter at CNET since 1998 and covers browsers, Web development, digital photography and new technology. In the past he has been CNET's beat reporter for Google, Yahoo, Linux, open-source software, servers and supercomputers. He has a soft spot in his heart for standards groups and I/O interfaces.


Discuss Two-factor login not totally useless

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Articles from CNET
The other analog format: Cassette tape decks have never been cheaper to buy