antecipate: Simple factor is better than two-factor authentication

This article is spot on looking at how the two-factor authentication generated hype is hiding away simple and inexpensive solutions. The new buzz phrase in corporate boardrooms is “two-factor authentication is the only adequate control mechanism for internet-based products and services such as online banking”. In reality, I would rather say that being in the boardrooms makes upcoming two-factor authentication inadequate. The ineluctable result would be another massive money influx at keeping alive outdated thinking about identity. Many privacy and security professional say the induced costs and operational challenges to implement two-factor authentication on a large scale are making it time to reassess the situation. Their reasons are summed up in two main questions:

What new risks have been discovered that need to be addressed?
Are there other ways, besides traditional two-factor authentication, to counter these risks?

The author give the standard answer to the first question:

that the purpose of the second factor of authentication is to compensate for the weaknesses of the first factor, the password. Weak passwords can be cracked with free software available on the Internet; they can often be discovered inside files stored on the network or people’s laptops, or on sticky notes left inside desk drawers; and they can be solicited through social engineering and phishing e-mails.

The article goes on describing different alternatives addressing the second question. But I believe it does not capture the real reason why the question were asked in the first place. In essence, these questions are telling us that password authentication is inefficient because passwords are available all over the corporate and extra corporate spaces. They nevertheless fail to analyze this finding beyond the mere need to supplement it by an additional control.

If password based control has become so weak, it is because of its inadequacy with human behavior. Passwords would bring the expected level of control when only used by machines. Machine are natively built to understand and remember 256bit hash values, not human beings. On the other hand, photo passwords as described in the article will perfectly suit a human mind, and discourage even the most powerful image recognition algorithms.

Forcing a machine semantic on flesh and blood never works. But I doubt this is common wisdom in the boardroom.