FOR - Bruce Schneier, CTO, Counterpane Internet Security
Recently, I published an essay arguing that two-factor authentication is an ineffective defense against identity theft. For example, issuing tokens to online banking customers will not reduce fraud, because new attack techniques simply ignore the countermeasure.
Unfortunately, some took my essay as a condemnation of two-factor authentication in general. This is not the case.
Two-factor authentication solves the problem of password guessing. For an organization trying to improve access control for its staff, two-factor authentication is a great idea.
What two-factor authentication will not do is prevent identity theft and fraud. We are already seeing fraud tactics that ignore two-factor authentication. As banks start rolling out two-factor authentication, criminals will simply switch to these new tactics. The overall amount of fraud will not change.
By concentrating on authenticating the individual rather than the transaction, banks are forced to defend against criminal tactics, rather than against the crime itself.
AGAINST - Joe Uniejewski, CTO and senior VP of corporate development, RSA Security
The static password lies at the heart of today's growing internet crime. It is the user's own worst enemy – and the loophole of choice for cybercriminals across the world.
Most phishing attacks by far rely on the mass-harvesting of passwords and other identity data for 'replay' at a later time or date, a risk that two-factor authentication wholly eliminates.
Two-factor authentication also prevents user impersonation through guessed passwords, or with passwords harvested from other sites.
Two-factor technology is a highly effective means of protecting everyone from the perils of a multitude of cyber crimes. RSA Security alone has deployed more than 20 million such devices. It is our belief that two-factor authentication is more necessary today than ever – the reason that organizations such as NIST, the FDIC and, as reinforced at CeBIT, Microsoft have identified it as the way forward.
The idea that it does nothing at all to protect against identity theft is not just incorrect – it is defeatist and irresponsible.