When logging on to my internetbank I have to issue both a password and pass the so called Factor2 Authentication. Sounds impressive doesnt it? Probably an updated version of the Factor1 system too.. but does it work? Nope. Two words: Hot Air. I’ll try to argue why.
The system is based on a set of 9 icons which each are chosen from 3 different categories, each user can choose his/her own set of categories. The user then select 3 icons and their individual order and this becomes the Factor2 authentication passphrase. When logging in the icons must be clicked out of a selection of 9 (with 6 incorrect semi randomized ones) in the selected order for the system to log on the user. If the wrong icon is clicked or the incorrect order entered the user has to start all over.
So lets look at the imposed security. Obviously the three correct icons must always be present which incurs that a couple of reloads of the Factor2 page will present three static icons and six that change over time. This leaves us with a set of three icons which can be combined in 6 different ways since the r-permutations are P(3,3)=3!. Password cracked.. This vector of attack is however too simple so lets assume that all icons are static to be able to continue the reasoning. This leaves us with a total of 504 r-permutations, P(9,3)=9*8*7. This can be compared to a three-letter password out of an alphabet with 9 characters, would anyone consider that safe? Since everyone can select their own categories and icons the users are of course highly likely to select items close to their personal life to make it easier to remember, thereby making it not only a short password but also an easily guessed one since the attacker gets hints by the available icons. It can be argued that this scheme is safer than a traditional password since it isn’t vulnerable to a keylogger. Nice try but totally false. Not only is it vulnerable to a framegrabber or screen recording software but it is also highly vulnerable to piggybacking since the cursor can be easily tracked on the screen.
So the conclusion is thus that if an attacker gets hold of the password to an account, this “added security” is unlikely to stop anyone for more than at most a few attempts. Any attacker that can gain access to the password will bypass the Factor2 authentication in minutes. Enforcing good computer security isn’t hard and it usually doesn’t come with a catchy slogan or trademark (and in these days of open-source not even a pricetag), so why do we still see this kind of crap safeguarding our assets? No one would accept a 5-pin padlock on the bankvault but on the internet everything seems to go if its got nice colors. Or perhaps a nifty animation. Or both.