We’ve discussed the importance of properly implemented two-factor authentication before, but TFA is usually associated with computing fields or high-security facilities. Earlier this year an InfoSec blogger wrote about his experience driving a new Ducati Diavel, in which he dealt with a dealer who did not provide a key for the bike he was test driving. While the bike appeared to have been started before he left the dealership, apparently the dealer started it without a key, since new Ducatis can be started with an optional backup PIN in case you lose or forget your key fob. To his surprise, the bike’s PIN was the last four digits of the bike’s VIN, although that was most likely an oversight from the dealer, not the factory setting, which is to have the feature disabled (Hint: You should never make your passcode for any authentication a number or phrase that is publicly available or related, like the VIN).
Now, while the bike ignition system incorporates both a physical key and a PIN, it’s clearly not two-factor authentication since you need only one of the two to start. Requiring only one OR the other obviously makes the system less secure for the sake of convenience. Ducati could mitigate the possibility of randomly guessing the PIN by locking out PIN entry after five incorrect attempts, but it’s still inherently more vulnerable than just having a key and no PIN. The same rules and guidelines apply here as in secure computing.
However, with just a slight change in the firmware, you could easily require both at startup, and voila, TFA. It makes one wonder why bike manufacturers don’t implement this idea more often. Or auto or boat manufacturers for that matter. Yes, it’s normally straightforward for a skilled thief to hotwire the ignition and bypass a key altogether, but is it too difficult to implement an independent PIN input that is much harder to physically rip into? Even if you could bypass it, surely TFA would deter a casual dishonest finder of lost keys.
We at Gemini are big fans of multi-factor authentication, and as more and more of everyday tools and applications utilize this feature, such as banks, Facebook, and Google, we can’t help but wonder why physical TFA is more often reserved for expensive high-tech facilities and safes than in the devices we use every day. Certainly TFA is not indomitable, and it does not necessarily prevent phishing attacks, as one can tell from current news on ATM skimming, but it’s certainly a step in the right direction for anything worth securing.