musings and one liners

Two-factor authentication won’t protect Twitter, Google: OneID

Two-factor authentication won’t protect Twitter, Google: OneID:

We basically said, let’s take a clean sheet approach to the problem and design a solution that eliminated the use of shared secrets, used modern-day cryptography, and that made it user friendly. The result is a system that has the security that is far better than even using those hardware tokens and so forth, but yet has the ease of use of Facebook Connect.

He’s suggesting to use public key cryptography to solve the problem that hackers gain access to accounts through breaking into the service provider’s servers, instead of guessing the passwords.

Just replacing the authentication mechanism won’t fully solve the problem, you will also have to secure the end to end chain of events of the service to ensure that a hacker who’s got privileged access isn’t able to see-all and do-all in the service with god-like powers. But a public key based approach can also help with that.