Banks Also Fighting the Last War

Security guru Bruce Schneier wrote an insightful essay titled The Failure of Two-Factor Authentication. He essentially argues that the millions of dollars banks and others are spending on two-factor authentication doesn't address modern threats. When phishers convince victims to enter credentials that the phisher passes to a real e-commerce site, it doesn't matter if the credentials are a password or a RSA token code and PIN. Also, forget about phishing; just install a silent Trojan that performs fraudulent commercial actions during an authenticated, legitimate session. Something like xss-proxy might do the trick.

This reminded me of my blog entry As Always, .gov and .mil Fight the Last War. I guess it takes too long to implement and fund initiatives in these huge organizations. It's like changing the course of an oil tanker. I'm sure the security staff recommended two-factor authentication five years ago and has only now received funding. Unfortunately, that strategy applied to older threats and cannot address the current problem. Two-factor authentication would probably have helped Paris Hilton remain in control of her T-Mobile account, though!

Update: It looks like Microsoft is jumping on the bandwagon. I think two-factor authentication is still an improvement over usernames and passwords, but it won't solve world hunger.