Google Authenticator for multi-factor authentication [LWN.net]

Google Authenticator for multi-factor authentication

Posted Dec 7, 2011 15:11 UTC (Wed) by jzbiciak (✭ supporter ✭, #5246)
In reply to: Google Authenticator for multi-factor authentication by fuhchee
Parent article: Google Authenticator for multi-factor authentication

I don't think you can collapse these so readily. The three categories have rather different properties.

"Things you have" generally refer to dongles, keys, access cards or other trinkets that you are issued. Someone could steal any of those things without physically harming or maiming you.
"Things you know" require you to be at least somewhat conscious, and require at least some level of cooperation to access. Sure, duress can beat a password out of you. (I'm reminded of this XKCD), but if someone kills you, the only other option to get the information is to find someone or something else who has it or brute-force guess it.
"Things you are" refers to biometrics, at least as far as I understand. Sure, someone could steal a body part (OUCH!), or in the case of the fingerprint machines, fake your fingerprint by lifting it from a glass. There's different levels here. The retinal scan made famous by many movies is a little harder to fake than the el cheapo thumbprint reader on a laptop. I'd like to see someone replicate an eyeball, maliciously or otherwise.

Still, nobody's arguing security can be made perfect, multifactor or otherwise. But, the more (and more varied) the factors are, the higher the bar gets raised. It requires an attacker to compromise more than one path before they achieve their goal, at a minimum reducing the probability of success to the product of the probabilities of compromising either factor. There's also the increased likelihood of detection, which potentially reduces the probability of success further.

So, I wouldn't be so quick to poo-poo multifactor authentication.

(Log in to post comments)