A few days ago I wrote about my support of the defense fund for Barrett Brown. One of the reasons regulators and legislators seem to think we need such over the top draconian sentences is because we have the wrong security model for payments in particular and authentication more generally. Information will continue to leak – that is it’s nature. It should not be possible for me to transact in your account simply by having information on your account. Instead we need to broadly embrace two factor authentication.

There will continue to be disclosures of account information both in the small and in the large. Some of it will simply be inadvertent. Others will be the result of leaks or breaches of systems. Trying to fight that with draconian penalties is simply wrong. I should be able to publish my bank account number and even credit card number on my blog or via Twitter! Instead of just requiring that information in order to transact I should also require authentication via my smartphone.

This change won’t come overnight and some incentives would be helpful. Instead of pushing tougher and tougher sentencing legislators should pass laws that require financial institutions and others (eg healthcare) to transition to two factor auth.