Security authentication relies upon three factors: what you know, what you are, and what you have.
What you know: the canonical example of this is a password. It’s something you know: something you’ve memorized and, when asked, you can repeat it. This is a PIN number on an ATM card, or the answer to things like “your mother’s maiden name”.
What you are: this is some physical attribute about yourself. Your fingerprint, your eye color or the pattern of veins at the back of your eye–or the relative length of the fingers on your hand: these are all attributes which are things that you are.
What you have: this is a physical object that is in your possession. The perfect example of this is the key to your house: it is a physical object that allows you to get into your home.
The idea of two-factor authentication is simple: by having two of the three items above, you can then prove that you’re ‘you’ so you can get access to your account, your money, or your property. A perfect example of two-factor authentication is using your ATM card to withdraw money: you cannot withdraw money unless you can show you have something (the card) and you know something (the PIN number). The strength of two-factor authentication relies upon the relative strength of each factor of authentication: in a sense, the overall strength of two-factor authentication is the strength of the first times the strength of the second.
Which is why ATMs are secure even though passwords (a 4 to 6 digit number) are so bloody weak: even though the password itself is extremely weak, you also need to have something in order to withdraw money. Having something times knowing something is stronger than just knowing something by itself–even if the thing you know can be easily guessed.
This also illustrates the danger of some types of two-factor authentication: they can easily collapse into one-factor authentication (thus making it extremely easy to steal your money) through a simple act. In the case of an ATM card, two-factor authentication becomes one-factor authentication if you write your PIN number on your ATM card. Now anyone who has your ATM card can withdraw money–and they don’t have to know your PIN, they can just read it off your card.
Another example of two-factor which collapses into one-factor authentication would be a pre-printed card with a random number: you can memorize the random number on the card–essentially turning your ‘two-factor’ authentication into a memorized one-factor authentication. Not that this is bad: generally longer passwords are more secure than shorter passwords, and banks are missing out on a bet when they limit ATM passwords to 4 to 8 numbers. Even so, this really is no longer two-factor authentication–which is why there are devices out there (such as key fobs) which randomly generate a number on a synchronized clock: the number constantly changes in a seemingly random way, forcing you to have the device on your possession so you can enter the randomly generated number.
Banks have been required for the past year to come up with two-factor authentication for on-line accounts–and they have failed dismally at this, as illustrated here: Wish-It-Was Two-Factor, where banks essentially require you to pick essentially three passwords rather than one: a real password, a ‘question’ and an ‘answer’. It’s not really two-factor authentication: it’s simply a much longer (and harder to remember) password which frustrates people. And again, while having a longer password is generally more secure, it’s not two-factor authentication.
It struck me one cheap way that banks can create two-factor authentication by something you know and by something you have. It’s easy, really: when you open an account with the bank, they send you a piece of paper with a table of fifty random numbers or words or phrases, all numbered on the paper. So, for example, on that page you’d see:
1: 148191 2: 381912 3: 108910
and so forth.
When you’re asked to log in, the login dialog box then asks for three things: your username, your password, and the number that is in cell N on your access page.
By making this list long enough, you virtually have to have possession of the paper to guess the password. It becomes relatively easy for someone to then find the number, rather than to guess the answer to the question “what is your third-favorite existential author” or some other nonsense. Which makes it honest to goodness two-factor authentication–and the cost to administer this is no greater than the cost to print out an additional page to send to the user.
If you use the idea, you don’t have to credit me.
Paper-based two-factor is certainly a reasonable way to go, and there are some interesting solutions out there – look at s/key (http://en.wikipedia.org/wiki/Skey) for one.
My company provides a free two-factor authentication product for individuals and small/medium businesses called PhoneFactor (www.phonefactor.net), that uses your cell phone as the hardware token. I have blogged a lot about some of these issues too, at blog.phonefactor.net.
Your point about when two-factor turns into one-factor is dead-on. I actually think it applies to mag stripe cards as well, since they’re easy to change and easy to steal.
Same goes for (some) USB tokens, like flash drives, and obviously with wish-it-was-two-factor.
The problem with a paper-based solution is that it is still susceptible to a man-in-the-middle attack. There actually was such an attack against a Swedish (IIRC) bank. Our solution (http://www.wikidsystems.com, at the risk of adding to the spamish comments here) includes an https mutual authentication solution for a PC-based token. Our wireless tokens can’t do that for obvious reasons. However, even that is not enough because many attacks are now ‘man-in-the-browser’ attacks – mal-ware in the browser. What will be needed eventually is an out-of-band public-key based system that will sign transactions securely.
Just my thoughts.
The rational for a two-factor authentication method is that it makes things more complicated to attackers–but it’s not impossible. Even SSL isn’t perfect: it just requires someone to illicitly gain access to an SSL certificate to set up a “near perfect” man in the middle attack, if you’re willing to do it in a country which would look the other way to such an attack. And as you said, malware can create all sorts of problems as well.
The nice part of having a two-factor authentication scheme (such as a key fob, using your cell phone as a key fob, or a sheet of one-off codes) is that you can prevent a different class of attack, where people attempt to scrape your username and password to use later or to exchange on-line. But two-factor authentication from a remote computer will never completely save one from a man-in-the-middle attack or a man-in-the-browser attack, assuming that the attack occurred in real time: that is, in order for a two-factor authentication scheme to fail with a man-in-the-middle attack, the man-in-the-middle would have to use the generated token right away to carry out the attack.
(In other words, a man-in-the-middle attack that is simply harvesting passwords would fail with two-factor authentication. But one could theorize a bot which takes a bank transaction request and piggybacks a second request to transfer money onto the first request. I don’t know how you’d protect against that sort of attack.)