Posted by: Ken Harthun
We all know the three basic ways of proving identity: What you know, what you have, and what you are. Though there is a plethora of articles asserting that the password is dead, I’m not convinced that is the case. Consider that a password could serve as two of those factors: What you know and what you have. Bear with me here because this takes some thought.
We normally look at two-factor authentication as using both a password and some randomly-generated numerical sequence on some physical device that changes every minute or so. There is another option. I use both a Yubikey and a PayPal “football” token. These two devices are worlds apart: The Yubikey has a unique ID that never changes and you have to have that device plugged in to validate it; the football generates a random six digit number that you append to your password or input in a secondary authentication screen. Both of these assume one key factor: You must possess the token and combine it with your password in order to authenticate. That means you must KNOW the password and you must HAVE the token to authenticate. Having one or the other means nothing.
The key difference is that one device – the Yubikey- requires a physical connection; the other device – the football – requires only that you possess it. Why not synthesize this concept using only a password? A physical connection won’t be necessary, but you must possess the second factor, so this resembles the football more than the Yubikey.
I’ll outline the implementation of this concept in a future post. For now, I want you to give it some thought and let me know via the comments your thoughts on this.