Passwords Don’t Cut It: Making A Case For Two-Factor Authentication

2FA

The seemingly sudden prominence of two factor authentication (2FA) in the media has a lot of organisations asking if their security measures are sufficient. Web-based note taking and archiving software Evernote recently launched 2FA for both its subscription and free accounts.

Social media sites, such as Facebook and Twitter, are already using it, Google Apps and payment gateways like PayPal have been promoting the use of 2FA for added security for some time, and for most online banking sites it is mandatory.

From an organisational perspective user authentication is needed in a number of areas on a network – from public areas on the company network and customer log in pages, to CRM systems, VPNs, management systems and cloud applications – and the use of 2FA is definitely gaining ground.

While it not a new technology by any means, it is now being seen more as a security necessity rather than an optional feature. Gartner predicts that by 2017 more than 50 per cent of organisations will be using some form of cloud-based services as a platform for authorisation, which is roughly five times more than today.

The Importance Of Authentication

IT security is an obvious priority for businesses with authentication and identity at the heart of it. This is especially important in light of current industry trends, including bring your own device (BYOD) and the continued adoption of flexible and mobile working.

Regardless of the amount of money and resources spent on securing firewalls, VPNs, and installing anti-virus and intrusion detection systems, if a hacker or outside party gains access to an employee’s authentication credentials, the entire system is compromised.

IT security models have changed over the years from a fortress approach of securing the perimeter, to an airport security approach that sees certain users having to prove their credentials at certain check points within the network, for example different users needing access to various applications in a cloud environment. It is this new approach that features 2FA quite strongly.

Passwords Are Not Enough

Single-factor authentication, traditionally passwords but could include biometric elements, such as a fingerprint, is simply not strong enough as a security measure. Passwords can be easily compromised – through phishing, social engineering, hacking or sharing – and as a result, IT departments enforce the regular changing of passwords, their complexity and unique use.

However, this often leads to user-related issues that put a strain on the help desk or IT staff, such as lost passwords, lock-outs, re-use of passwords or passwords written on Post-it notes.

Two-factor authentication makes use of a combination of independent factors – something you know (password, PIN), something you have (keyfob, keycard or smartphone) and in some cases something you are (fingerprint, retina scan). In addition, factors such as location (physical location, network location and device), and time of day can play a role, especially for an organisation that employs remote workers, part-time employees or contractors.

The Benefits Of 2FA

In addition to security, 2FA provides significant cost and convenience benefits in terms of total cost of ownership and administration costs. This is especially true when outsourcing the management of 2FA. Outsourcing reduces the hidden costs of hosting a 2FA solution in-house, such as setting up new users, supplying fobs and integrating the actual solution with existing security infrastructure.

IT and help desk staff can dedicate resources to solving other issues, and the entire process can be managed via a web portal. An on-demand hosted service using cloud is suitable for a range of industries and different sized enterprises. The vendor is responsible for dealing with lost fobs, forgotten passwords, and other user issues, while ensuring patches are correctly installed and have availability.

Successful Implementation

There is on-going debate in the industry regarding token versus tokenless 2FA. Each has advantages and is equally effective; however, the long term effectiveness of 2FA depends largely on its users. During implementation the user experience must be considered and may even be an indicator of success.

When deciding between tokens or tokenless systems, it depends on the application and the needs of users and often it is a mixture of credentials that presents the best option. Typically 2FA is easy to use, however, some employees may be resistant to change to less technically inclined and may not see the immediate benefit of using this type of authentication. By making 2FA as reliable and easy to use as possible, it can become less of a bugbear and more like second nature.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone
Jon Inns

As Director of Product Development at Accumuli, Jon Inns has worked in the industry for almost 20 years for the likes of the Ministry of Defence and HP. As such, he is extremely knowledgeable in the area of protective monitoring systems, most notably security information and event management (SIEM). Jon is a founding member of the SIEM Alliance and is a strong proponent of the importance of including security monitoring as a fundamental and critical control in enterprise defensive policies.

  • ToopherSeth

    Great article, Jon. I hope that more influential people will express similar opinions and make the case for two factor authentication. In five years, two factor will be everywhere. Getting over that hump requires education and an easy-to-use two-factor authentication app. You’re doing well on the former, and Toopher has done the latter.

    Toopher (https://www.toopher.com/) makes 2FA simple. Users usually don’t like tokens–they’re easily misplaced and forgotten, hard to read, and the numbers always seem to change right when you’re about to enter the last one. More modern two factor is utilizing cell phones and push notifications–a paradigm that users know and love. Toopher goes one step further and allows users to automate requests based on location. More concretely: if you always bank from home, you would automate the login; future logins will ensure you’re at your house and authenticate you without any additional user interaction. All the security of a second factor without the hassle. It’s really cool :)