Published by tim.ullrich on 01 Jul 2008 at 02:25 pm
WoW: Two-Factor Authentication Not Just for Banks Anymore
Banks, brokerage firms and financial services firms in general have all heard about two-factor authentication by now, and many firms already offer the service. While banks were required to adopt two-factor authentication, other industries have been offering two-factor schemes to secure client accounts.
Most banks have settled on RSA’s PassMark image-based system (users pick an image that will be displayed when logging in to verify the site’s authenticity). Some brokerage firms offer this same system while others offer clients a token-based system (Charles Schwab and E*TRADE for example). Instead of images, the token (also usually provided by RSA) ties a specific client to an algorithm that the token uses to generate a number that the website verifies. As we said, this is pretty much common knowledge and accepted practice for quite a few financial services firms (let’s include PayPal in that group).
Two-factor authentication is good for securing personal information and locking down accounts, like your bank account. Because it is so robust and is generally resistant to brute-force attacks and key logging tools, this technology could be useful for locking down all kinds of accounts. As an example, how about a two-factor token to lock down a gaming account? Blizzard Entertainment has in fact just started offering ID tokens for its wildly popular World of Warcraft game. The token costs just $6.50 and is tied to specific player IDs. Just like at financial services firms, players log in as usual then enter the token-generated number.
It’s just a game you say! Yes, but considering the time some people invest into this virtual world (think thousands of hours) you will start to see why a token might be a good idea. Maybe it’s overkill, but it does add some comfort knowing that your level 70 Mage won’t be abused by a hacker or even sold. You see, with millions of players world-wide, WoW has a robust in-game and out-of-game economy where people buy, sell and trade virtual gear and even their characters. As in the real world, there are people that want to take the “easy” route by either buying something so they don’t have to invest the time or stealing it to sell to someone else. It’s a real problem and one that Blizzard is addressing head-on with the two-factor authentication token.
At this point it’s not farfetched to think that two-factor authentication might start appearing more often. Amazon.com is one of the busiest sites on the Web and, like World of Warcraft, people can log in from multiple IP addresses making pattern detection harder to implement. Does this mean we will see this from Amazon? No, but they have probably thought about it. After all, most customers let Amazon keep their credit card numbers on file for faster checkout.
OK, so Blizzard shows that two-factor authentication works outside of financial services, and Amazon has reasons for using a token. But what’s the reality? You obviously can’t expect people to carry around a token for every site they visit; it’s just not going to happen. Can you imagine carrying around your credit cards, driver’s license, cash, a work ID badge and a key chain fat enough to make a janitor laugh at you?
There are two possible solutions here - eliminate crime or have one token that does it all (the “one token to rule them all” for the Tolkien fans out there). What form will our Tolkien token take? Maybe it will be a mobile phone, something everyone carries. Each phone could be registered with the various websites by calling a phone number for each, locking that account to the phone. Is it possible? Probably. Next time we have lunch with Steve Jobs we’ll ask him if the feature will be in the next iPhone.
