Re: Two-Factor Authentication on the Web

On 30/06/2006, at 4:03 PM, Tim wrote:

>  the only way I see that you can accurately validate
> someone would be through biometrics (something you are)

This is not possible, as:

All devices in general are tamperable and not trustworthy when in the  
hands of the attacker

Biometric devices have a long history of being little more than snake  
oil or toys. The good ones are significantly more expensive than ANY  
other form of actual 2FA authentication device

Many attacks against existing biometric devices are so trivial as to  
be a complete joke. Check out this page:

http://www.heise.de/ct/english/02/11/114/

Lastly, trustworthy biometric registration requires an in-person  
visit, thus negating any possibility of remote authentication.

No matter what 2FA device you use, evidence of identity is only as  
strong as the registration process. I'd prefer to see the initial  
registration (and recovery of registration) done only in-person.  
Otherwise the process is open to abuse by definition.

thanks,
Andrew