By that argument, no physical tokens (secureid, yubikey, etc) add another factor - they also _could_ be stolen at the same time as your laptop is stolen.
You are absolutely correct :) If you already have a certificate on your laptop, or SMS based authentication, then adding securid token will not change the security profile of the system. Yes, you might get extra security protection if you employ additional measures (e.g. store secureid token in the office safe at all times) but the attack vectors will still be the same.
There are different authentication factors: what you know (e.g. password), what you have (e.g. token), and who you are (e.g. iris scans). In general, adding multiple types of the same factor does not actually increase the security (e.g. having password + pin is no really better than just having a password). The actual multi-factor authentication should include different factors to protect against different attack vectors.
There is, though, a difference between stealing my laptop, my phone, and my keyring. Sure, a targeted attack by a nation state aiming to get access to my multi-factor-auth services could grab all three at once, but the chance of an opportunistic theft acquiring any two or all three of those devices is _very_ much smaller than just the laptop.
lsh123|12 years ago
There are different authentication factors: what you know (e.g. password), what you have (e.g. token), and who you are (e.g. iris scans). In general, adding multiple types of the same factor does not actually increase the security (e.g. having password + pin is no really better than just having a password). The actual multi-factor authentication should include different factors to protect against different attack vectors.
bigiain|12 years ago