Brad Stone of the New York Times today wrote a story "Study Finds Web Antifraud Measure Ineffective". The article quotes results from a joint Harvard/MIT study on the security effectiveness from using a site authentication stating that the effectiveness out of 60 people worked for only two.
Site authentication is where the user preselects an image to be displayed at login when they are supposed to enter in their uid and password. The technology developed by Passmark in 2004 (which was acquired by RSA) and also produced by several other competitors, is based on the theory that if the user comes to a phishing site and doesn't see their image, then they should be alerted to the fact the site is not real and therefore not enter in their uid and password. However, the study didn't prove this out. Only two people refused to enter in their uid and password while 58 others entered it in despite their being no image.
Changing end user behavior is hard to do. People are used to entering in their uid and password and disregard security mechanisms like the site authentication. I am fairly confident that Microsoft's Vista anti-phishing technology where the tool bar goes green for supposedly safe sites will meet the same kind of response from end users.
Enterprises wanting to secure themselves internally, should take heed from the study. There needs to be stronger authentication in addition to uid and password as the user drills towards more sensitive information and applications. Don't expect one method to provide your security or you'll be sorry.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us