Part Two: Two Factor Authentication!?!

Alas, finally I made it to part two after so long.  :)

Continuing from the previous post, OTP tokens are generally time-based or event-based.  For time-based tokens, the pseudo-random number changes at a pre-determined interval, usually 30-60 seconds. For event-based tokens, it's based on a user event such as user pressing the button on the token and using a mathematical algorithm to generate the pseudo-random number and so on from there.  Further explanation can be found here about what is an OTP - http://en.wikipedia.org/wiki/One-time_password .

There are now several companies providing such security tokens used for two factor authentication (TFA).  A good explanation of the various types of security tokens can be found here - http://en.wikipedia.org/wiki/Security_token .

In Singapore or even worldwide, for most internet banking services, it's already a practice to use such tokens to improve security.  (For the curious or security people, you are able to find out which particular token you are using from the list shown earlier.) Although it adds a layer of protection by using security tokens with TFA, it is still not totally foolproof.

With Wikileaks, cyber attacks in Singapore and other recent events, Singaporeans should not be complacent about security.  One such event is the DBS false login page that was in the news and luckily the user was knowledgable to not proceed on.  Here is one such notice on phishing by the bank - http://www.dbs.com/sg/personal/ibanking/additionalinfo/security/phishing/default.aspx . The banks has done their part in informing the general public and taking other measures for prevention.  Normal users still need to be informed of such risks and how to identify them.  

For the technically inclined on how it happens and recommendation of TFA usage, Bruce Schneier mentioned it in his blog here -http://www.schneier.com/blog/archives/2005/03/the_failure_of.html .


References:
- Wikipedia
- http://www.schneier.com/