Two's (Or More) Company: How to Use Two-Factor Authentication the Right Way

Wednesday, June 03, 2015

Patrick Oliver Graf


These days, you need a password to access every aspect of your digital life, and we all know how problematic that can be. You can either come up with a unique (albeit difficult-to-remember) password for every website, or use easy passwords, or even duplicates, that leave your accounts insecure.

Fortunately, many prominent websites today – Dropbox, Google, Apple, Facebook and PayPal – all support a security approach known as two-factor or multi-factor authentication. And it’s easy to see why.

This process enhances security by adding another step (or more) to the user verification process, making even risky passwords much stronger. That’s because in addition to the factor that a user knows (a password), every login attempt requires the user to supply a factor he or she owns, such as a one-time access code or PIN sent to their mobile device via SMS text or email, and/or one that reflects who they are, like a fingerprint. Through this relatively simple extension of the traditional authentication scheme, a lost or stolen password becomes plain useless to a hacker. No successful login is possible without the additional factor or factors.

If your security demands are higher than average, it’s also important to generate the second authentication code, or OTP, only when the user has already started the session and the first factor has been exchanged successfully. It might be simpler to implement and roll out tokens with pre-fabricated codes, but this kind of implementation is inherently easier to compromise, but is still almost impossible to break.

As a rule, token solutions require a seed that contains the base data for generating the OTPs. If the seed is stolen or compromised, and the OTP generator has been hacked, all the possible OTPs can be reproduced by an attacker. Important as well: The OTP can only be valid on the token that has actually generated it unless an attacker reproduces the OTP generator. However, the likelihood of this type of attack is much lower than the attacker actually stealing the generator.

Whatever means of transport is used for the second factor, it is important that it reaches the user as soon as possible. Two- or multi-factor authentication is often deployed for business users, and they want to begin work as soon as they start the authentication process. Especially when users are working from abroad, using SMS text as a transport medium is prone to faults. There are often transmission delays that cause the user to miss the designated validity time frame for the pass code. Such problems can be mitigated by using an authentication provider who operates independently from the mobile operator and uses a unique SMSC for the pass code transmission.

A way to enhance the user experience is to have SMS notifications display automatically on the device without the need for the user to open the SMS inbox to access the OTP.

Authentication with two or more factors is clearly the way to go. When you find that the 800-pound gorillas like Facebook or Twitter have firmly gathered in the two-factor camp, you don’t need a crystal ball to find out where the industry is headed.

And the marketplace has adapted accordingly – there are now a multitude of products that cover the requirements of small companies, up to the demands of large-scale enterprises. The functions and features stretch from email and SMS over apps, soft and hard tokens, synthetic voice messages and even biometric characteristics.

In light of all the successes of two-factor authentication, the most difficult aspect remains getting users to endorse the technology. Trigger events along the way, like Microsoft rolling out two-factor-equipped Windows 10, will help users become more familiar with the process, but only time will cause users to view two-factor authentication as the top security standard.

This was cross-posted from the VPN HAUS blog. 

Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.