Worst Best Practices: Two Factor Authentication #GartnerSecurity

These are notes from the last session at the 2009 Gartner Security Summit; a tongue in cheek look at the worst best practices in IT.
The real problem here isn’t with all two factor authentication, rather it is with bad implementations. Inconsistent definitions of two factor authentication allow implementers to do whatever they want. Not every method is equally strong and it may be possible to pick two factors that are not as secure as another single factor authentication. The level of assurance and accountability in each factor of authentication should be considered.
In reality even a password by itself can be two factor. Its something you have (company laptop) or some place you are (work) in addition to something you know.
We’ve all logged into our bank where we’ve been asked something we know (our password) and something we know (personal info). When used like this, two factor authentication is security theater.
Use more than just a password when performing two factor authentication. Or the reverse, you must have a PIN when using a token for authentication. Otherwise authentication would be provided by the mere possession of the device.