As we reported earlier in the week; the most recent discussion around two-factor authentication was triggered by Dropbox adopting this secure methodology. Increasingly, it continues to be suggested that a password alone is not enough for security, especially each time a public case of account hacking emerges. “Two-factor authentication has gone from the paranoiac’s love affair to the bare minimum needed for rational security. Password logins are simply too compromised in the desktop environment.” Explains John E Dunn, Security Editor at Techworld and Computerworld UK.
“Two-factor authentication offers a more secure way to ensure that the person logging on is who (s)he claims to be. By using something you know (password), and something you have (a generated code delivered on your phone or RSA token), you reduce the likelihood of someone else gaining control to your account,” explains Kai Roer, Senior Partner at The Roer Group.
In some ways, adoptions of this technology is still in its infancy but more and more sites and services are beginning to realise its benefits and levels of adoptions are increasing beyond just that of services such as Dropbox and Skydrive. That said, “Availability is still surprisingly patchy; the tech industry can’t quite work how to make it available without adding complexity and so change remains slow,” Dunn tells us.
Conversations over the past week have largely revealed that two-factor authentication is seen as an added (but minor) “hassle” when it comes to the time spent logging into accounts for users. There is also a cost factor for businesses to consider when looking at implementing the technology.
With this in mind, Roer suggests that you should consider two-factor authentication as “insurance,” especially given the reduction in cost of a technology that up until recently, was only used in banking and high security access. That said, even with today’s low implementation cost, it may still be considered a small investment. Far better, says Roar, than “the large cost you incur by a public breech in the future.” In fact, according to Roer, it is quite a scalable adoption process; “you do not need RSA-like tokens today. Codes can be sent easily and cost-effectively using SMS or a smart-phone app. This means very low up-front investment, no lock-in to a vendor, and better service for your customers.”
“From a positive security perspective, two-factor authentication has no downside!” says Leon Ward, Network Security professional at Sourcefire. However, Ward feels that implementation must be planned “with consideration of the user experience at the absolute forefront. Tokens, like mobile phones, get lost, broken and forgotten” as this has the potential to “impact authorized users’ productivity. Preventing people from doing their job breeds frustration.
Conversely, Kevin Townsend, a freelance author and online news reporter for Infosecurity Magazine feels that “two-factor authentication is good but not good enough. Ease of use trumps security for the average user – so I doubt it will be widely adopted. Even two-factor authentication sessions can be hijacked. Continuous behavioural biometrics, such as the ‘cognitive fingerprint’, may be a future solution – if privacy concerns can be solved.” Whereas, Brian Honan, InfoSec Consultant and author feels that there is a wider issue of staff training to consider: "Two factor authentication can be an effective extra layer of security for businesses to protect their systems. Whether a software or hardware based solution is selected, organisations should realise technology alone is not the answer and ensure staff are properly trained in the secure use of the chosen solution."
It seems that this is a technology worth considering when weighing up your security solutions. However, it is clear that there may be other security options on the horizon which could be deemed stronger or more accessible to your enterprise in the near future. It may come down to a case of user friendliness vs. the impact of a breach of one or even multiple accounts and the loss of private data.
What are your thoughts on two-factor authentication? Share them in the comments or via @MicrosoftBizUK
Indeed. 2FA is a bare minimum. But in Estonia it is available for all people ... in shape of PKI enabled ID-card.
Excellent article on strong authentication. I would like to make a few follow-up remarks, though, on some of the statements. First off:
“Availability is still surprisingly patchy; the tech industry can’t quite work how to make it available without adding complexity and so change remains slow.”
While this was true with the second generation authentication systems following the RSA SecurID that prevailed before, it does not hold true with the industry leading providers anymore. The systems are available as appliances that can be setup in a matter of one to two hours, and even as SaaS services if that is acceptable from the security prespective for the customer. At this point I must say that my company is among these list of strong authentication providers with SSH MobileID, although I do not want to make a sales pitch here, rather just provide further information.
“Two-factor authentication is good but not good enough."
To this I again emphasize that this was true with the second generation of two-factor authentication solutions. However, with the industry leading authentication platforms/appliances, the end-user can on-the-fly build and extend the authentication business logic and delivery methods. Say, for example, that the main use case is SMS OTP delivery. Now, the end-user is logging into corporate VPN in the middle of the night and from a very remote off-shore location based on IP. In this scenario the next generation authentication platform actually determines that this is a potential breach, and requires some extra security; say a PIN code delivered to the end-user or a secret question to which the end-user only knows the answer to. Hence, with the latest technology for strong authentication, we must understand that the systems and their business logic can be adapted and altered to deliver the required security and/or confidence level.
I am all for 2FA and I wholly agree that it is important for protecting data like that stored on Dropbox but it must be implemented in a way that makes it easy for the user. Many users have enough trouble remembering their password alone. Show them the benefit of increased security and make it easy for them and they will make the change.