Welcome to another episode of Techknow, the podcast in which Sophos experts debate, explore and explain the often baffling world of computer security.
In this episode, entitled Two-factor Authentication, Paul Ducklin and Chester Wisniewski investigate the what, the how and the why of the technology often abbreviated to 2FA.
Some of us take it for granted, perhaps because our banks won’t let us go online without it; others of us haven’t taken to it at all, perhaps because it’s an additional complication in online life.
Chet and Duck explain how the predominant forms of 2FA work, and why they make life harder for cybercriminals; they also look candidly at the downsides.
Potential stumbling blocks to the universal acceptance of 2FA include: how you regain control your digital life if you lose the token that regulates your access, and why you’d want to adopt 2FA at all if you are already comfortable with the extent of your legal liability for online losses.
With a number of big players joining the 2FA club in recent weeks, including Apple, WordPress.com and (if the rumours are true) Microsoft, this Techknow podcast is perfectly timed to help you decide whether to hold out or join in.
Listen now:
Listen later:
Other episodes you might like
- Sophos Techknow – Understanding Botnets
- Sophos Techknow – The End of XP
- Sophos Techknow – Understanding vulnerabilities
- Sophos Techknow – All about Java
- Sophos Techknow – Understanding SSL
- Sophos Techknow – Patching: lead, follow, or get out of the way?
- Sophos Techknow – Busting Password Myths
Great article Paul! This is exactly why I've been working on my own version of a 2 factor token that can hold multiple tokens in one. No need to carry around 6 key fobs. – http://ob-security.info/?p=631
Hardware project based on the Atmel AVR ATmega32U4 chip…nice.
If you do a "next version," how about some kind of display so it can be used with devices that don't have a USB port? With 10 buttons, perhaps it could perform as a challenge/response token? Even a single 7-segment digit might be enough to do the job. (One digit at a time 🙂
Thanks Paul, that's on my list of features for the next round, along with bluetooth. The challenge/response idea could be implemented easy enough, and I may add that before final release.
SMS based authentication is useful but itself is QUITE VULNERABLE in that SMS stealers are being built into popular crime kits and using a social engineering approach, or a potentially a technique called applanting, it is MUCH TOO EASY for criminals to install a malicious app on your Android-based smartphone and to capture/steal the 2FA SMS message.
D