When Bruce Schneier dismissed Two-Factor Authentication as a solution to identity theft, he was widely vilified, mostly by people who either didn’t understand his reasoning. Now, he’s clarified those comments nicely:

What two-factor authentication won’t do is prevent identity theft and fraud. It’ll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We’re already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.

Security is always an arms race, and you could argue that this situation is simply the cost of treading water. The problem with this reasoning is it ignores countermeasures that permanently reduce fraud. By concentrating on authenticating the individual rather than authenticating the transaction, banks are forced to defend against criminal tactics rather than the crime itself.
…
Two-factor authentication is a long-overdue solution to the problem of passwords. I welcome its increasing popularity, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they’ll stop advocating stronger authentication measures and the sooner security will actually improve.

I had my criticisms at the time. If the core of the Identity Theft Fraud-by-Impersonation problem is poorly-authenticated transactions, then weak authentication mechanisms are still the root of the problem. We’re now widely in agreement that Two-Factor Authentication won’t solve the problem. Let’s move along to what is.

Currently, in the United States all you really need to authenticate yourself as posessing a Financial Identity are the target’s name and Social Security Number. The problems solved by Two-Factor authentication only come in to play after that initial, weak authentication. That is not a password problem, that is a systemic problem.

Authentication proves identity. The strength of the authentication mechanism defines the confidence level that I am, in fact, the entity I’m claiming to be. Name and SSN, Mother’s maiden name, Drivers’ License, Username and password, PGP keys, number generating key-fobs, fingerprint readers and retina scanners all produce different levels of confidence that the remote entity is whom they claim to be. Each of them comes with its own benefits and sets of risks. To attempt to pick one society-wide standard from even this incomplete list, however, is foolish.

As I see it, the core of the problem is that Identity is not actually tied to me as a person–it’s tied to data in various databases. That’s not necessarily a Bad Thing. Sure, it’s argued that Biometrics would solve that problem but I’m actually not very comfortable with that solution. The unintended consequence here becomes that if we ever actually succeed in tying Identity to its owner, then we can no longer decouple it in the situations where we’d like privacy or anonymity. Yet another example of “Security is a Trade-Off.”

Each authentication mechanism has costs, attacks, and risks associated with it. Passwords (something you know) can be forgotten or stolen without your knowing it, but are easily changed. Biometrics (Something you are) can be extremely difficult to forge but cannot be changed on-demand (but can change over time), fail due to injury (how do you read a fingerprint through a band-aid?) or in the worst case, cost you that finger. Number-generators and private crypto keys (something you have) raise the bar significantly for compromising account but can be lost or stolen, are difficult to support or change, and are generally not shared between different authenticating entities.

If I’m worried about someone breaking into my existing on-line bank account, that’s a very different problem than trying to prevent the general abuse of my Financial Identity through Identity Theft Fraud-by-Impersonation and the considerations should vary accordingly.

The key thing to remember is that security solutions are safeguards against specific threats. Unfortunately, very few people seem to understand the relationship between Risk (understanding and quantifying the potential loss if a threat comes to pass) and Security (taking action to take to mitigate risks). Most people jump straight to the Security piece since it’s both more interesting and more likely to produce some vendor freebies.

Suggesting two-factor authentication as a cure for Identity Theft Fraud-by-Impersonation is attempting to fit a technology solution to a systemic problem, which is what I think Schneier has been trying to get at all along.

[…] Not Bad For a Cubicle « Schneier clarifies his Two-Factor Authentication Comments ChoicePoint and Lexis-Nexis tell […]