[vpn] Schneir's 'Weak Link' Observation (was Two Factor Authentication)

[Christopher Gripp]

Schneir often seems stuck on the concept of 'the weakest link' when discussing security issues.  It's a valid point but he tends to focus on, what I consider to be an elementary topic, quite a bit.

Everyone understands that if I give my PIN and my token to someone then there is a security breach.

The problem with policies and procedures is that they require COMPLIANCE to be effective and the bad guys don't usually COMPLY with the rules.

I don't believe there are ANY full proof authentication mechanisms.  Unless there is a piece of information known only by one person, such as a PIN, and that person is willing to go to the grave vs. revealing it, then multiple factors of authentication are only slightly more difficult to subvert.

Christopher Gripp 
Systems Engineer 
Axcelerant

"Impartiality is a pompous name for indifference, which is an elegant name for ignorance."  G.K. Chesterton

> 
> Someone posted an observation attributed to Bruce Schneier 
> that deprecates multi-factor authentication mechanisms in 
> cases where technical or procedural weaknesses allow one or 
> more factors to be undermined. I disagree with Schneier on 
> this point of terminology, since such weaknesses exist in 
> just about every authentication technique. It's better to 
> call it "weak" or "poorly implemented" two-factor 
> authentication than try to spin new terminology to capture 
> the distinctions in Schneier's example.
> 
> 
> Rick.
> smith at securecomputing.com            roseville, minnesota
> "Authentication" in bookstores http://www.visi.com/crypto/
> 
> 
> VPN is sponsored by SecurityFocus.com
> 
> 

VPN is sponsored by SecurityFocus.com