I have to disagree with your article. Two-factor authentication will, in my judgement, do nothing to significantly slow down phishing. People aren't caught by phishing because of weak authentication of them to their bank, they're caught because of non-existent authentication of their bank to them. Two-factor authentication does nothing to prove to me that the Web site accepting my authentication is really the bank I think I'm giving it to.

On the other hand, if I have strong authentication of the bank (say because SSL in the browser is set to demand the server authenticate itself and limited only to those certificates I got from my bank while setting up my account) then it becomes much safer to authenticate myself to the bank.

In the real world, demanding drivers' licenses of every customer in a physical bank branch doesn't help if the problem is criminals setting up fake branches. Why should it work any better on the Internet?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/363/32533#32533