Can I see your credit card, please?

Posted  October 22, 2007 By Steve

I did a couple of interviews today about PhoneFactor, and both times I spent some time on the difference between software- and hardware-based two-factor authentication. The problem is that sometimes the "something you have" acts more like "something you know."

Have you ever shopped at a Lowe’s or Wal-Mart and been asked by the cashier to see your physical credit card after you swipe it yourself? Ever wonder why they take the trouble to do that after having installed self-swiping terminals everywhere?

It’s because mag stripes act more like something you know than something you have. The problem is that mag stripes are trivial to re-program with another (stolen) credit card number. The signature block on the back of the card is useless as an identifier (its purpose is more of an assent to the card agreement). When the cashier asks for your card, she is verifying that the numbers on the card match the numbers from the mag stripe, specifically to defeat this sort of attack.

There are some important characteristics of the "something you have" that make two-factor authentication work. One of these is that it must not be easily duplicated. Smart cards, tokens, and (of course) phones have this property, as do fingers and eyeballs. Mag stripes and HTTP cookies and digital certificates (by themselves) do not.

So, the bottom line is this: when you’re shopping for a two-factor authentication system, get one where the "something you have" part really behaves like "something you have."

-Steve