The age of passwords is dead. They are too easily broken by brute strength computer processing, by social engineering or by keyboard logging attacks. The recommended solution proposed by security experts for the last few years has been multi-factor authentication.
This usually uses some kind of smartcard that can produce a one time password which only the enterprise will know and, the use of a user id and even perhaps a password. The chances of someone else having masqeurading as the identy having the card and the knowledge is a lot lower than someone who simply has to input their id and password into a screen.
However, as I watch the commercial landscape and see all sorts of two factor authentication emerging, I am reminded of a blog Bruce Schneier, the noted internet security guru, wrote in April of 2005. In the blog Bruce notes that two factor authentication won't stop identity theft. He notes that this merely means that criminals change their tactics.
In other articles Bruce notes that the criminal tactics of phishing mereley adjust for the new two factor authentication. The criminals pass on the changing part of the password to the bank and the non changing part.
Will two factor authentication solve identity theft...no. However, it is a much better tool to use to help mitigate the attacks than the password.
What are solutions for preventing phishing attacks?
There is the use of trusted third party identification. The trusted third party validates the identity of the user. This will help reduce phishing BUT only as long as the trusted third party is validating the real identity. When the trusted third party is spoofed by a masquerader then identity theft can occur.
We're in an arms race where no one solution is going to solve the problem.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us