Schneier on the failure of two-factor authentication

I’d not heard the term “two-factor authentication” before, but it turns out it’s just using two passwords, one you make yourself and one you get from somewhere else. The little key-fobs that give you a new password every 60 seconds is an example, as are the less technological printed list of one-use passwords that have been around for years. In the latest Crypto-Gram, Bruce Schneier argues that two-factor authentication “solves the security problems we had ten years ago, not the security problems we have today.” In particular, it does nothing to stop phishing (Man-in-the-middle) attacks or trojan horses.

I suppose solving security problems from ten years ago is better than not solving those problems, but at best it should be viewed as a stop-gap (and the cost of rolling out such measures should be weighed with that in mind).

Update 3/18/05: as a commenter pointed out, two-factor authentication isn’t really the use of two passwords so much as two authentication methods. I was basically paraphrasing the PC World article, and I should really know better.