Or so this blog on security says.
“Some experts claim that two-factor authentication won’t work. They are wrong, of course.”
The expert linked to is Bruce Schneier, and the main attack he points out that isn’t affected by TFS is … fake website asking for your credentials.
Funny. That was one of the main ways of stealing people’s MMO player accounts when I first got into MMO dev around ten years ago. And it’s still one of the main ways now (although there are plenty of other good ones, as noted in the linked post). It’s just … so easy!
Which would suggest that yes, actually, Bruce is right: TFS is going to do little to combat the *actual problems* being faced here.
Personally, I’ve always been on the side of security is pretty simple really: prevention is impossible, and anything that claims to provide great prevention is snake oil, and the reason security in practice is hard is because you have to find ways to deal with detection and response, and *that’s* where all the interesting stuff is.
On the other hand, I’ve now heard a couple of people suggest that the one-time-passwords thing from Blizzard isn’t about the passwords anyway: it’s about reducing credit-card chargebacks by shipping goods to the actual address first. In a way, it’s a basic form of TFS on the act of issuing a CC charge: you have to know the CC details and be able to intercept snailmail post, and until you succeed at both, the company doesn’t need to issue the CC charge.
Again … prevention? Nah, I can still intercept post, even on a large scale. But … detecting that interception is going to be somewhat easier, and responding to it (getting people fired from FedEx, or whichever company has been infiltrated and/or has a dodgy employee that’s been fired) is probably a lot easier than dealing with an unknown anonymous person from “somewhere” on the planet who bought 10,000 CC’s on the black market.
So, props to Blizzard. But not for making “a better form of password”. And a thumbs-down to Errata Security: sorry, but I’m not convinced by your analysis. I see what you’re saying, but I suspect you’re barking up the wrong tree. And I’m afraid I’m always suspicious of people who defend any preventative measure too closely – security doesn’t seem to work like that, sadly.