To protect sensitive information, IT systems usually requires the user to enter his user ID and password before he can access to the system.
User ID and password alone are not strong enough to protect confidential data. The reason is very simple: they are the weakest link. No matter how strong the encryption algorithm they use and how complex the authentication system to the backend, it will be the end of the story if the password is leaked out.
To have a better authentication, we can use additional protection mechanism. There are 3 authentication system widely deployed in the market:
1. Something that we know: e.g. password
2. Something that we have: e.g. ATM card, mobile phone
3. Something that we are: e.g. retina, fingerprint
Two factor authentication refers to authentication on no. 1 and no. 2. Besides password, we must also use something that we have. We already use 2-factor authentication daily, for example, in order to withdraw money from an ATM, we need to insert an ATM card (what we have) and key in our PIN (what we know). This mechanism definitely gives you better security.
Now, if you develop a software, how does it apply to your system? There are many 2-factor authentication solutions in the market ranging from costly solutions such as from RSA token to more cost-effective solutions such as custom-made USB stick. Most of solutions use additional hardware.
A vendor called Vidoop developed 2-factor authentication solution. Vidoop uses visual grid as 2nd authentication so that it can eliminate the need of additional hardware.
Since it doesn't need additional hardware, the advantage is that it is less expensive and it can scale better. They still need to improve the image loading speed, though, because if the image loading is too slow, this solutions will fail to pick up. Imagine if you have to wait a few minutes before you can log in to your favourite system!
Another question is how it compares with OpenID? OpenID is more standard and universally adopted by many Web 2.0 such as Digg. We shall wait and see.
Subscribe to:
Post Comments (Atom)
3 comments:
I don't think ATM cards should necessarily be counted as two-factor. I just wrote a post about this a few hours ago:
http://blog.phonefactor.net/?p=15
We just launched another two-factor authentication service, called PhoneFactor, that uses a confirmation call to the user's (pre-registered) phone number as the second factor. This gets you out of having to carry an additional device but still provides the security of a genuine hardware token.
Have a look at the PhoneFactor blog (linked above) if you're curious, or download it - it's free for a single server.
-Steve
Hi Steve,
I will definitely try PhoneFactor - I think it will be useful for my project.
-Gusniawan
Hey, thanks for blogging about Vidoop!
I'd offer you a myVidoop.com beta invitation code, but it sounds like you already have one -- if not, let me know.
The image loading speed is a big thing, and we've already taken some pretty big steps to mitigate that that are going to be rolling out with our next version in August.
I'm not sure I understand what you mean when you say "how it compares to OpenID". myVidoop is an OpenID provider, so we actually use and depend on the OpenID protocol for myVidoop.
Post a Comment