I don’t think username/password can last much longer as the primary means of authentication on the web. Rampant phishing has made it all to common for unsuspecting “normals” (and even those who are more tech savvy) to inadvertently open themselves up to malicious purchases, or massive promulgation of spam emails and social network comments from their account. It’s only going to get worse as phishers get more and more sophisticated.
One way to slash the number of successful phishing attempts would be for B2C sites to start adding mobile-based authentication as part of their login process on top of the usual username/password combo.
Yes, this would negatively affect the user experience, as the user would need to provide more info than username and password at login, but it would reduce the attack surface of a typical internet user dramatically.
With this type of authentication scheme, when you login with your username/password pair, your phone is called if the username/password combo is accurate. At that point, your cell phone will ring, and you’ll need to pick up and press a button to show that you are indeed the person who just entered that username/password info. This is a powerful concept because if the phisher doesn’t have your phone, and he/she can’t do any damage.
For added security, a site could also use the phone authentication to protect certain critical operations post-login (e.g. a mass delete, a message to a large number of contacts, a purchase above a certain pre-set threshold).
No consumer site has tried to “sell” me this kind of two-factor authentication lately as part of their user experience. However, if that site is buying or selling anything on my behalf, I’m open to a slightly more clunky user experience in order to add another layer of protection.
There are companies who provide two-factor authentication as a service, but clearly it is not terribly popular in the consumer web or B2C world (or, maybe just with the sites I use — as I never bump into it).
Is the user experience so poor that it’s not worth implementing these solutions? Basic two-factor auth is not that hard to build, so I can’t imagine that it would be a technology issue (or a cost issue if working with a 3rd party web service that provided this functionality). Or do the consumer sites themselves and their customers not really see this (phishing) as an existential threat?
Seems intuitively that mobile and / or multi-factor (e.g. phone + username/password + something else) authentication is a big area of opportunity given the current trends in phishing and security, but maybe I am missing something.
What am I missing? :)