Thursday, 11 June 2015

Two factor identification problems

A lot of people are advocating two factor identification as a way to improve security. But it isn't as simple as that.

There's always a trade-off between security and convenience. And here's an example.

The DVLA (the UK's Driving Licence authority) have introduced a new scheme, starting this week. Before, if you wanted to prove that you have a driving licence, you showed your driving licence. Simple. There was a plastic card, and a paper with the details, showing what you could drive, and what penalty points you had. So if, for example, you wanted to hire a car, you showed them that, then you could drive away.

Now it's different. You have to go to their web site and fill in a form, giving your driving licence number and your National Insurance number. That gives you an 8 character code, and third parties can check that code and your driving licence number do see the details that were previously on the paper. The code is only valid for 72 hours, and can only be used once.

So here's the problem. What if, three days after you generated that code, you need to do it again? If you've made a note of your National Insurance number, and if you have internet access, you'll be OK. But if you don't, you're stuck. And if the DVLA web site is down, you're stuck.

If you're thinking of introducing two factor identification, you should think carefully about the ways that it can go wrong, before you make it compulsory.

1 comment:

  1. Yes, But Alan, we are talking about a government agency here, their websites would never go down,

    They run a copy of Dr Solomon's Antivirus Toolkit - kills all known germs dead, as well - what could possibly go wrong.

    ps I must stop thinking about food so much, and see if the captcha thing starts showing pictures of Space.