What Is Two-Factor Authentication?
Before you can start evaluating two-factor authentication systems, you have to understand what two-factor authentication is. The basic idea of two-factor authentication as it's usually understood is "something you have plus something you know." The thing you have can be anything from a smart card to a USB key fob to your fingerprint. The thing you know is usually a conventional password. The classic example is an ATM card. To get money out of the ATM, you need both your card and your PIN (password).
Most two-factor systems rely on a password or PIN and something else, but that "something else" varies widely. In some cases, the "something else" is your computer. The system takes a hardware and software snapshot of your computer configuration and uses that information to identify you. This approach has the advantage of being as simple as using a password. The disadvantages are that the system has to go snooping around in your computer to identify you, and this setup ties your "identity" to a single computer.
One popular method is a USB device that's protected against tampering. USB fobs can have more computing power and memory than whole computing systems of a few years ago. Because USB ports are nearly universal on today's desktop computers, there's usually no need for a special reader. The need for a reader has been a problem with some smart card systems. This is one of the problems with the American Express Blue Card program, which relies on smart cards to authenticate in-store and eCommerce transactions. The users or merchants have to purchase smart card readers, and the extra expense has made the program unpopular with many customers and merchants.
In other variations, the device isn't attached to the computer at all, and the user has to manually enter the code that the device generates. Still another system uses biometric data such as fingerprints or retina patterns, suitably encrypted, to identify the user.
Windows' authentication architecture makes it easy to add new forms of authentication. Windows uses a DLL called Graphical Identification and Authentication (GINA) to connect the authentication method to the Windows authentication system. It's easy to write alternate DLLs for GINA, to use any authentication method the software designer wants.
However, the nature of the second factor only scratches the surface of two-factor authentication. The cleverest, most secure method of generating the second factor is useless if the rest of the process is insecure. To judge how effective a two-factor authentication system is, you have to look at the whole system, not just the second factor. This is a problem because even the experts tend to characterize systems in terms of what they use for a second factor. While some second factors are definitely more secure than others, the balance of the system—such as encryption, challenge-response, and many other systems—are at least as important.