Two-Factor Authentication

  • Article

As we reported earlier in the week; the most recent discussion around two-factor authentication was triggered by Dropbox adopting this secure methodology. Increasingly, it continues to be suggested that a password alone is not enough for security, especially each time a public case of account hacking emerges. “Two-factor authentication has gone from the paranoiac’s love affair to the bare minimum needed for rational security. Password logins are simply too compromised in the desktop environment.” Explains John E Dunn, Security Editor at Techworld and Computerworld UK.

“Two-factor authentication offers a more secure way to ensure that the person logging on is who (s)he claims to be. By using something you know (password), and something you have (a generated code delivered on your phone or RSA token), you reduce the likelihood of someone else gaining control to your account,” explains Kai Roer, Senior Partner at The Roer Group.

In some ways, adoptions of this technology is still in its infancy but more and more sites and services are beginning to realise its benefits and levels of adoptions are increasing beyond just that of services such as Dropbox and Skydrive. That said, “Availability is still surprisingly patchy; the tech industry can’t quite work how to make it available without adding complexity and so change remains slow,” Dunn tells us.

Conversations over the past week have largely revealed that two-factor authentication is seen as an added (but minor) “hassle” when it comes to the time spent logging into accounts for users. There is also a cost factor for businesses to consider when looking at implementing the technology.

With this in mind, Roer suggests that you should consider two-factor authentication as “insurance,” especially given the reduction in cost of a technology that up until recently, was only used in banking and high security access. That said, even with today’s low implementation cost, it may still be considered a small investment. Far better, says Roar, than “the large cost you incur by a public breech in the future.” In fact, according to Roer, it is quite a scalable adoption process; “you do not need RSA-like tokens today. Codes can be sent easily and cost-effectively using SMS or a smart-phone app. This means very low up-front investment, no lock-in to a vendor, and better service for your customers.”

“From a positive security perspective, two-factor authentication has no downside!” says Leon Ward, Network Security professional at Sourcefire. However, Ward feels that implementation must be planned “with consideration of the user experience at the absolute forefront. Tokens, like mobile phones, get lost, broken and forgotten” as this has the potential to “impact authorized users’ productivity. Preventing people from doing their job breeds frustration.

Conversely, Kevin Townsend, a freelance author and online news reporter for Infosecurity Magazine feels that “two-factor authentication is good but not good enough. Ease of use trumps security for the average user – so I doubt it will be widely adopted. Even two-factor authentication sessions can be hijacked. Continuous behavioural biometrics, such as the ‘cognitive fingerprint’, may be a future solution – if privacy concerns can be solved.” Whereas, Brian Honan, InfoSec Consultant and author feels that there is a wider issue of staff training to consider: "Two factor authentication can be an effective extra layer of security for businesses to protect their systems. Whether a software or hardware based solution is selected, organisations should realise technology alone is not the answer and ensure staff are properly trained in the secure use of the chosen solution."

It seems that this is a technology worth considering when weighing up your security solutions. However, it is clear that there may be other security options on the horizon which could be deemed stronger or more accessible to your enterprise in the near future. It may come down to a case of user friendliness vs. the impact of a breach of one or even multiple accounts and the loss of private data.

What are your thoughts on two-factor authentication? Share them in the comments or via @MicrosoftBizUK