Primary links

Negative One Factor Authentication

Network World Magazine is running a story about Robert Thompson from AVG, who apparently had an Interesting Conversation with a Wachovia consumer security representative recently.  As he details on his blog, after being asked the standard personal info questions to un-suspend his credit card, Wachovia then proceeded to ask him what *they* called "publically available information."

The jist of his post is while the jury's out on exactly where they got this info, he suspects somebody's mining the social networks.  Honestly this doesn't shock me in any way. I think anybody who uses a social network without thinking that "personal" info will leak out has had their expectations incorrectly set.  When an infosec person thinks their "personal" info on Facebook stands a prayer in hell of remaining personal...well, I gotta wonder...

ANYWAYs, that's not the interesting part, nor the reason for this post.  What really tickles me is is this: How in god's name could a company ask you with a straight face to authenticate yourself by answering questions about publically available information?

Quick recap of multi-factor authentication for those who haven't gone to CISSP bootcamp yet:

  • One factor authentication is usually "Something you know." Like your username and password.  
  • In two factor authentication, you're asked to verify something you know, as well as something you have.  So, say username, password, and please could you type in the number on that little RSA dongle you have? Thanks.
  • The "third factor" of authentication represents something you "are" or "do." Usually this refers to retina or hand scans. I've heard of man traps that verify your weight.

Wachovia engineering has clearly developed an additional factor of authentication, which I am going to call "Negative One."  So we can all clearly understand each other when we use this (pejorative) phrase, it's definition follows:

  • In Negative One Factor Authentication, the user is queried about information that is known not just by that user, also that user's friends, friends of friends of that user, and possibly known by the general public.

Here's to hoping that other financial institutions DO NOT start implementing Negative One factor authentication anytime soon.