The seemingly sudden prominence of two factor authentication (2FA) in the media has a lot of organisations asking if their security measures are sufficient. Web-based note taking and archiving software Evernote recently launched 2FA for both its subscription and free accounts.
Social media sites, such as Facebook and Twitter, are already using it, Google Apps and payment gateways like PayPal have been promoting the use of 2FA for added security for some time, and for most online banking sites it is mandatory.
From an organisational perspective user authentication is needed in a number of areas on a network – from public areas on the company network and customer log in pages, to CRM systems, VPNs, management systems and cloud applications – and the use of 2FA is definitely gaining ground.
While it not a new technology by any means, it is now being seen more as a security necessity rather than an optional feature. Gartner predicts that by 2017 more than 50 per cent of organisations will be using some form of cloud-based services as a platform for authorisation, which is roughly five times more than today.
The Importance Of Authentication
IT security is an obvious priority for businesses with authentication and identity at the heart of it. This is especially important in light of current industry trends, including bring your own device (BYOD) and the continued adoption of flexible and mobile working.
Regardless of the amount of money and resources spent on securing firewalls, VPNs, and installing anti-virus and intrusion detection systems, if a hacker or outside party gains access to an employee’s authentication credentials, the entire system is compromised.
IT security models have changed over the years from a fortress approach of securing the perimeter, to an airport security approach that sees certain users having to prove their credentials at certain check points within the network, for example different users needing access to various applications in a cloud environment. It is this new approach that features 2FA quite strongly.
Passwords Are Not Enough
Single-factor authentication, traditionally passwords but could include biometric elements, such as a fingerprint, is simply not strong enough as a security measure. Passwords can be easily compromised – through phishing, social engineering, hacking or sharing – and as a result, IT departments enforce the regular changing of passwords, their complexity and unique use.
However, this often leads to user-related issues that put a strain on the help desk or IT staff, such as lost passwords, lock-outs, re-use of passwords or passwords written on Post-it notes.
Two-factor authentication makes use of a combination of independent factors – something you know (password, PIN), something you have (keyfob, keycard or smartphone) and in some cases something you are (fingerprint, retina scan). In addition, factors such as location (physical location, network location and device), and time of day can play a role, especially for an organisation that employs remote workers, part-time employees or contractors.
The Benefits Of 2FA
In addition to security, 2FA provides significant cost and convenience benefits in terms of total cost of ownership and administration costs. This is especially true when outsourcing the management of 2FA. Outsourcing reduces the hidden costs of hosting a 2FA solution in-house, such as setting up new users, supplying fobs and integrating the actual solution with existing security infrastructure.
IT and help desk staff can dedicate resources to solving other issues, and the entire process can be managed via a web portal. An on-demand hosted service using cloud is suitable for a range of industries and different sized enterprises. The vendor is responsible for dealing with lost fobs, forgotten passwords, and other user issues, while ensuring patches are correctly installed and have availability.
There is on-going debate in the industry regarding token versus tokenless 2FA. Each has advantages and is equally effective; however, the long term effectiveness of 2FA depends largely on its users. During implementation the user experience must be considered and may even be an indicator of success.
When deciding between tokens or tokenless systems, it depends on the application and the needs of users and often it is a mixture of credentials that presents the best option. Typically 2FA is easy to use, however, some employees may be resistant to change to less technically inclined and may not see the immediate benefit of using this type of authentication. By making 2FA as reliable and easy to use as possible, it can become less of a bugbear and more like second nature.