I was recently talking with a vendor/consultant who noticed my IronKey (www.ironkey.com). We discussed a few of the features and eventually hit upon the password manager.  The individual said that the IronKey’s password management is a good way to transform website authentication from one factor into two factors. His logic was that the IronKey (something you have) requires a password (something you know) to access the password manager (another something you have).

The flaw in the logic is that the IronKey is required to authenticate to the site, when in reality, the site only cares if I have provided the correct site username and site password. There is no facility provided by the website to verify if I am in possession of the IronKey such as a one-time-password (OTP) mechanism internal to the IronKey. While I may be using two factors to access the site’s credentials, the site’s credentials are all that is required to access the site. These exist outside of the device and can be reused to access the site, and this is the issue. Only the mechanisms used by the site can be considered when “counting” factors.

A malicious browser helper object (BHO), sniffer, or some other malware can grab these credentials and allow an agent to access the site without possessing the IronKey or knowing the IronKey’s password (By the way, the IronKey possesses some capabilities to prevent malware from accessing the credentials entered into a form). The issue is not specifically related to the IronKey, but is an issue with the authentication mechanisms commonly in use and misconceptions regarding authentication.

Ultimately, the site’s credentials can be reused without the need for the IronKey and its password. Ironically, it would actually be more difficult for me to log in to the website than the bad guy since I would have to use my two factors to get the site credentials (assuming I don’t have them stored elsewhere and can’t remember them). I am not saying that something such as the IronKey doesn’t help with security (it is much better than a text file or crappy passwords) you have to know the limitation of such an option.