In Why Johnny Can’t Authenticate Ben Laurie makes the point that:

I often hear it argued that using something better than passwords will fix the problem, for example, public/private key pairs. There’s actually two fundamental reasons why this ain’t so…

  • So long as its possible for users to recover from losing their keys (or passwords, or whatever it is they use to authenticate) in a way that can be imitated by phishers, they will not be helped by these protocols. Phishers currently concentrate on getting people’s passwords simply because that’s the low-hanging fruit. Pluck that fruit and they’ll move on to recovery (which obviously cannot use anything the user can’t hold in their head).
  • Computers aren’t secure and users can’t be trusted to make good decisions about what to run. Start using public/private key pairs and they’ll be stolen by viruses and worms instead of fake websites and spam. Indeed, trojans that log keys in order to steal passwords already exist.

This perfectly reasonable opinion really speaks to the current state of affairs. It is war out there and right now the phishers are winning. But I wonder if it really is an unwinnable war, or whether the current state of the art is simply too bogged down in its own dogma to see passed it. In the end no single thing will save us from the phishers since there are just too many angles of attack. However I would like to think that a combination of technologies and user training through good rituals will make phishing a long shot so long that it is not worth the risk of the attempt. I do wish our banks would help out by using what is available now though.