Friday, September 01, 2006

Who takes responsibility for security?

Neil Maechiter put out an interesting post about biometrics and the use of multi factor authentication. He references a post by Jerry Fishenden, Microsoft's National Technology Officer for the UK, describing how extremely secure systems should use 3 factor authentication:
something you know (such as a PIN), something you have (such as a smart card) and something you are (which is, of course, where biometrics typically come in).

A couple of weeks ago I talked about how US and UK banks are approaching multi-factor authentication for access to online services and secure banking sites. In the US the FFIEC has mandated two factor authentication, although the way that some banks are approaching this seems to require only software tricks to support two types of 'something you know'. In the UK, card readers and key fob tokens are being rolled out now to supplement the first factor of username/password, following hot on the heels of mainland European banks.

The third factor, "something you are", has not been applied by banks (to my knowledge), but with the accelerating pace of biometric passports and identity cards this could soon be an option. The question is, does your online banking really need a third factor of identity to be secure? The third factor (biometrics) purely adds extra protection to ensure it really is 'me' at the computer keyboard - not someone who found my stolen key fob and attached Post-It with my username and password written on it.

It seems to me that the bigger risk to my accounts are through personal information being compromised internally by company and agency IT staff or insecure systems. Maybe with 2 factor security providing authentication protection, the banks will start to take some responsibility for their part in the security of our accounts and information -- deflecting the blame to hackers and customers outside the organization will no longer provide enough aircover.

Technorati tags:

No comments: