Username and password have long been the main method of authentication—and they remain so. But other authentication factors are often added to passwords to improve security. How well do these multi-factor authentication approaches work, and should businesses approach them?
The password is familiar, and everyone knows how it works—or, at least, how it’s supposed to work. It’s essentially free. It can be used on any system, using any platform, by anyone. The password is anonymous and its use does not compromise privacy. It can easily be replaced if compromised.
According to SplashData, the two most common passwords of 2017 were still the long-time champions, 123456 and password. And people are certainly known to share passwords. So, despite the virtues listed above, passwords have one great defect: alone, they can be almost useless for security.
This is where multi-factor authentication approaches come in, typically with just one additional factor, for two-factor authentication (2FA).
There are three primary authentication factors used in a multi-factor authentication process:
Currently, most 2FA implementations rely on the first two. Biometrics as an authentication factor will likely be increasingly used but has its own problems, discussed at length here.
The idea is that the two factors are completely independent. An attacker might get one, but getting the second would require a separate effort. With only one factor, login is still impossible.
The most familiar form of 2FA is when you put in your password, are sent a one-time password via a SMS text message to your mobile phone, which you then enter. So: two factors, password (something you know) and your phone (something you have), right?
Technically, though, this is known as two-channel or two-step authentication, since the code you get is also something you know. This distinction can lead to endless academic discussions, but it also allows for clearer security analysis. It turns out to be easy to assume two pieces of information are independent when they have an exploitable degree of connection.
Regardless of accurate terminology, the world will continue to call this 2FA—and so will this post.
SMS 2FA has a variety of vulnerabilities, including the possibility of number reassignment, which could allow an attacker to receive the confirmation code. For this and other reasons, the NIST no longer recommends SMS-based test message two step verification.
But companies and customers will continue to use this form of 2FA, because it is easy, straightforward, and takes advantage of a sophisticated device that most people already own: a smartphone. And at its worst, it is no less secure than the original password—it introduces no additional vulnerabilities.
What’s the best form of personal cybersecurity? The one you use. Companies face a variety of other attacks from other directions, and user error is one vulnerability they really want to minimize.
This is where other forms of 2FA that involve a “something you have” factor more robust than an SMS message, such security keys, fobs, and smartcards, have problems, particularly for consumers rather than employees. Something like a Yubikey really does provide a good degree of security—but it requires the user to carry and use another piece of hardware, one that does not have Facebook on it, and is thus easier to forget.
If lost keys result in calls to the helpdesk, the expense of security can rise unsustainably.
Security can be a brand value, but ease of use always is. Businesses will need to balance the two, and various forms of 2FA, properly implemented, will make their job easier.
Alex Jablokow is a freelance writer who specializes in technical and healthcare business. He blogs about the Internet of Things, software, inertial guidance systems, and other topics for business clients. Sturdy Words, his freelance content business, is at www.sturdywords.com.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.Learn More
Subscribe to get all the news, info and tutorials you need to build better business apps and sites
You can also ask us not to share your Personal Information to third parties here: Do Not Sell or Share My Info
We see that you have already chosen to receive marketing materials from us. If you wish to change this at any time you may do so by clicking here.
Thank you for your continued interest in Progress. Based on either your previous activity on our websites or our ongoing relationship, we will keep you updated on our products, solutions, services, company news and events. If you decide that you want to be removed from our mailing lists at any time, you can change your contact preferences by clicking here.