Two-factor Authentication and Phishing

by Derek Vadala

Related link:

I just read an article by Kelly Martin over at Security Focus in which he endorses the idea that governments (US and otherwise) should mandate the use of two-factor authentication for banking. I disagree slightly with the need for legislation, because it seems like the market will eventually force banks to provide this service in order to compete. I strongly disagree with his notion that,

The forced use of two-factor authentication for banking systems accessible over the Internet is our only hope for the mitigating the phishing threat.

Two-factor authentication might be able to deter a few specific phishing schemes, but it will have almost zero effect on the long term problem. For example, it won’t prevent a man-in-the-middle attack or a root kit with remote view and control capability. In the first case, the attacker simply passes the extra authentication data, and in the second case, the user authenticates both parts for the attacker. At that point the attacker can view the session, and possibly use cached credentials to access the site while the user is idle. There is also little to stop a phisher from impersonating the challenge response portion of the login on a rogue web site. This might not be useful in terms of compromising the account (since the one-time password is useless for future sessions), but it could easily add credibility to a “Verify Your SSN” site or other information harvesting scheme.

Bruce Schneier has written on this topic, and I find that interesting since Martin cited another article by Schneier:

I have to agree with what Bruce Schneier wrote recently, that pushing all the responsibility from consumers to financial institutions (and most likely, doing it through legislation, if you ask me) is the only way to get this done.

Schneier’s article from Wired makes the point that “security works best when the entity that is in the best position to mitigate the risk is responsible for that risk” and argues that “Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem.” But, he also notes that a recent anti-phishing law in California fails to address the issues. The article doesn’t mention two-factor authentication as a potential response either, and given his earlier writing on the subject, I wonder what his response to Martin might be.

Update: I just noticed that Bruce Schneier wrote a follow -up to his post on two-factor authentication. It sums up some of these issues nicely.

What's your take on phishing legislation and do you think two-factor authentication will change anything?