Comments on: Microsoft's answer to phishing: Two IDs

Banks aren't moving fast enough on requiring online customers to provide two forms of ID, the company says.

[pdxtech]

2 Factor Auth Will Only...

prevent thieves from hacking into accounts by guessing passwords. A 1-factor Phishing attack will simply appear to be a "more convenient" version of a banks web site to average consumers.

[Earl Benser]

QUESTION...

I wouldn't want to infer that M$ management has got their heads
up their butts (again) but how can a requirement for dual ID's
stop a phishing attack that asks to verify both forms of ID?

If people are dumb enough to respond to current phishing
attacks, they are dumb enough to provide both ID forms to an
expanded phishing attack.

[wbenton]

Two Factor Authentication

Two factor Authentication or only One factor Authentication... it doesn't matter.

As long as the Authentication process(es) one or more can be spoofed... they will continue to be a problem.

The Key to security lies in the keys.
Keys for authentication
Keys for encryption
Method of Key creation
Method of Key storage
Method of Key delivery
Method of Key backup
Method of Key protection

All of these combined make any Authentication (Single, Double, Triple or otherwise) secure or unsecure.

Where are the keys stored?
Is that storage encrypted?
How were the keys created? (is there any pattern?)
Who has access to those keys?
Are those keys backed up? (What backup methods and storage for those backups?)
What encryption method is used, what is the key length, can those keys be retrieved somehow?

It's quite complex and the FIPS 140 Specifications detail a lot of methods to use, but all of them are cumbersome at best.

Bottom line: Good security ain't cheap and cheap security ain't necessarily good.

Likewise, strong keys used with a weak encryption method or weak keys used with a strong encryption method make for more mess than it's worth.

Keys are the KEY to security, from creation, handling, storage & backup to revoking.

FWIW