Given the increasing number of stories about data breaches that we hear about year in and out, it’s a given that information security continues to be of more and more paramount importance to any businesses engaged in digital activities as time goes on. Let’s face it – that’s every business in existence these days.
Despite many companies’ best efforts to keep their users’ information secure, their login info on a per-user basis remains relatively easy to access given that once a user’s account name or email address has been acquired it becomes much simpler to compromise their data, and the data of their employer. Two-factor authentication (2FA) has become an effective and popular approach to solving this problem, but does this security method stand up to the challenge of securing access to your applications and data? And if so, what is preventing it from reaching complete mainstream acceptance?
Why is two-factor authentication effective?
2FA is primarily useful because its login keys and other authentication information are time-sensitive. To explain in more detail, 2FA works as if your application’s login entry was blocked by a lock that changes every several minutes (or sooner), and the time-sensitive key is provided by the 2FA-providing device such as a smart phone. It works in addition to traditional login, but provides the added benefit of security against hijacked passwords and accounts – hence the name “two factor”. It also provides additional response time if there is an attempted breach while the owner of the affected account is not within reach of their device or otherwise unavailable
How does two-factor authentication work?
Implementation can vary, but two-factor authentication typically relies on a few different approaches. The two most popular and user-accepted methods of 2FA both rely on generalized capabilities of a user’s smartphone and depend on either an installed application or SMS. Alternatively, one particularly secure option to 2FA exists by having a smart token that operates independently of a user’s other devices.
Each of these approaches have their own unique advantages and drawbacks, which almost always have varying applicability depending on use cases.
Organizations that require security for a large number of users with varying needs and responsibilities tend to benefit from uniform security solutions that support the use of multiple devices simultaneously, while not requiring extensive integration efforts. The best two-factor authentication options for these situations tends to involve the use of a proven 2FA mobile application with platform support for (at a bare minimum) iOS and Android devices.
Two commonly-used examples of 2FA applications include Authy and Duo Mobile. These applications are usually available for download through public app stores and just need to be paired with a user’s account.
The largest point in favor of authentication applications is that users tend to always have their devices on their person. This means that for situations where the user is logging in to a network or application on a separate device and using their phone for 2FA there is a negligible hit to productivity in exchange for a much more secure process.
The downside to these applications is that if the user happens to misplace their phone or its battery dies, the user could be completely unable to log in to the system. This typically can result in delays of varying length as the user contacts relevant IT or customer support channels to resolve the matter of linking the authentication to a new device.
One more drawback that applies to any method of 2FA that involves phones is that if the device itself is compromised either through malware or being stolen then the attacker will receive these keys and negate the utility of 2FA. Again, that is still one more step that would need to be taken by a potential attacker over a traditional username and password combination.
SMS authentication provides an extremely accessible added layer of security for as many users as needed. This is currently the most commonly-accepted solution for applications with extremely large user bases such as Gmail.
After providing their phone number during account setup, whenever the user enters their account name and password at login they are texted a unique, time-sensitive code that will need to be entered to access their account. This code will expire after several minutes so that it cannot be guessed or stolen as easily. Depending on security and convenience concerns, users are also usually given an option to remember that device so they don’t have to always enter a new code every time they use the same computer.
The biggest factor in favor of SMS authentication is that, as previously mentioned, it is extremely convenient. It doesn’t require the user to install any special application and takes advantage of texting functionality which is built into all modern phones. Another good thing about SMS authentication is that unlike previously discussed methods of 2FA, if the user loses their phone they can simply update their contact number through a trusted device and continue using their account.
One potential drawback to this approach is that if the user works in a setting where cell service isn’t always fully available, such as many large office buildings which can have spotty reception in certain areas, it can cause delays in accessing their account. Additionally, SMS authentication falls prey to the same issue as other phone-based authentication methods in that the purpose is negated if the user logs in on their phone and authenticates from the same device.
An alternative to phone-based authentication measures exists in the use of smart tokens. Smart tokens are standalone devices that provide a time-sensitive key for accessing an account, similar to how phone authentication works.
The unique aspect of smart tokens is that because they operate independently of other devices, they still provide reliable security regardless of whether or not the user’s smartphone has been compromised. Additionally, these tokens remove the option of allowing users to compromise their security by not allowing them to login and generate codes on the same device like the case is with smartphones.
Smart tokens can operate off of a variety of different methods. One common approach is to associate your account with a given smart token’s serial number. The login server and smart token will then operate off of the same algorithm so that if a login attempt is made it can correctly determine if the code is correct at that moment. Many services and applications have begun using this security method in recent years, such as Blizzard Entertainment providing tokens as an optional feature for users to enhance account security.
Another potential method of utilizing smart keys involves incorporating specialized USB sticks as smart tokens, such as the products offered by YubiKey. These devices communicate over and transfer their time-sensitive code without direction interaction from the user.
The main benefit of smart tokens is that they are much more difficult to compromise than a user’s personal devices. Additionally, since the smart tokens themselves don’t require a network connection or specialized mobile application, they don’t run into the same network and device support issues as mobile authentication.
Although they offer the most secure form of 2FA, smart tokens do suffer for the issue that the user must carry them around as an additional physical item. Given that these smart tokens are usually tied to a given account, the user may need to carry around multiple tokens for separate accounts. Finally, these devices are typically not provided for free. Pricing can vary between $5 to $50 or more per device and should definitely be taken under consideration for any enterprise usage.
Regardless of which approach you take, two-factor authentication will provide a valuable extra layer of security to your login process. Applications are becoming more interconnected over time with an increasing amount of shared data between those that rely on one another. Despite any other attempts to build account security that your company may take, the added layer of requiring the use of a separate device to log into accounts can provide a unique benefit. No matter how the account could have been otherwise compromised, unless the attacker has compromised multiple devices it is unlikely that they will be able to get in.