Strong Auth Rant

I've recently found Dan Blum's Identerati blog and found there a piece that explains why "strong" authentication will not fix phising. And it really struck me. How anyone could ever think that one-way authentication can fix a man-in-the-middle attack? What kind of people are out there?

Some environments can really surprise me. It is only few years ago that I've learned that some American bank did use only simple passwords for Internet banking access. "What a foolishness", I tought. Here, in the barbaric eastern europe no bank would ever risk that. Even the technologically least advanced bank deployed at least some kind of "strong" auth before the break of the millenium. And even with strong auth there were some braches. Nothing public, of course :-)

Only later I've learned that it is common practice in the US to use passwords only. Real foolishness. I'm no fan of so called "strong authentication", because that is usually just a one-way dynamic password authentication scheme(*) packaged in a nice box. But even that is much better than static passwords.

(*) Oh yeah, you can "secure" the "strong" auth by wrapping the HTML form in SSL. But, have you ever seen the list of "trusted" Certificate Authorities in your browser? No? Then go on and have a look. I would bet that there are many of them that you've never heard of. Do you trust them? I'm sure you do.