The term two-factor authentication is rapidly acquiring buzzword status and, like any buzzword, is losing its precise meaning in the process. It doesn't help that the concept of two-factor authentication is still so new in many executives' minds that they're not sure how it applies, or even what it is.
"My experience in dealing with CTOs [Chief Technology Officers] at financial institutions is that they pretty much accept Secure Sockets Layer as an example of a satisfactory implementation of two-factor authentication," says Don Scott, Senior Vice President of Technical Sales at TranSend International, a maker of two-factor authentication products. The problem, Scott points out, is that SSL doesn't use two-factor authentication at all. Nor does it completely protect transactions. It simply encrypts information moving over the Internet.
Of course, there is no "one size fits all" solution to security. "If anyone tells you that one thing will solve all your security problems, ask them to prove it," says Mark Griffiths, Vice President of Authentication Services for VeriSign, Inc., a maker of encryption and authentication products. "I'd be very surprised if they can."
There are dozens of methods of two-factor authentication and they vary enormously in their sophistication, security, and cost. This isn't necessarily a bad thing. In general, you have to spend more to get higher levels of security. Logging into a workstation on a secretary's desk typically doesn't require the same level of security as a transaction moving a couple of million dollars halfway around the planet. However, the need for different levels of security poses an additional complication for anyone who has to evaluate two-factor authentication products. You have to decide whether the proposed method is appropriate for the specific application.