Monday, April 1, 2013

5 Myths of Two-Factor Authentication

  • By Jim Fenton, OneID
  • Image: CJ Schmit/Flickr

    A series of recent password hacks at well-known brands, including LinkedIn, Twitter, and Evernote, has cast a harsh light on the problems of passwords, and how vulnerable we are as a result. Two-factor authentication is being held up as the solution to this problem, and companies are racing to deploy it.
    The trouble is that two-factor authentication is fraught with difficulties. As is often the case, certain assumptions are being made or benefits are implied that can mislead companies trying to secure their environments, and consumers believing their security is ironclad.
    There has been a lot of hype about two-factor authentication, and as a result several misconceptions about it exist. Here are five common myths associated with two-factor authentication:
    No. 1: If you have suffered a breach, turning on two-factor authentication for your users is a good quick fix.
    Reality: Most sites can’t simply “turn on” two-factor authentication (often shortened to 2FA). Deployment of 2FA requires issuing tokens or embedding cryptographic keys in other devices. That requires user participation. If you suddenly start requiring 2FA for access to your site, many of your existing users won’t have the necessary means to log in, and will either clog your support queue or give up and go elsewhere. But if you don’t require 2FA, and offer it only as an option, most users won’t bother to enroll in it regardless of the security benefits.
    No. 2: Two-factor authentication is not susceptible to common threats.
    Reality: While two-factor authentication does improve security, it’s not perfect, and it attracts attackers because mainly high-value applications use it. Most two-factor authentication technologies don’t securely notify the user what they’re being asked to approve. Therefore, it’s too easy for an inattentive user to approve an attacker’s transaction without knowing it. Also of note is that third-party authentication tokens can depend on the security of the issuer or manufacturer. And that cannot be known until there’s a breach, such as the March 2011 breach of RSA SecurID tokens. Telecom-based technologies, such as text messaging (SMS), have specific dependencies on the security of the mobile provider, which is chosen by the user. A service using SMS can be vulnerable to any number of telecom providers’ practices regarding reassignment of phone numbers or security of messages. Malware on users’ phones that intercepts SMS messages and sends them to an attacker is also becoming more common.
    No. 3: Two-factor authentication is synonymous with ‘incorporation of a second device’ and cannot be accomplished effectively on a single device.
    Reality: As users move to smarter personal devices, it has become more practical to load keying information into those devices in a manner that is tamper-resistant enough to provide a high degree of security. For example, a properly-designed smartphone application can manage keying information and prompt the user for something they know. It would then use cryptographic techniques to prove that the user was in possession of the cryptographic key and knew the memorized factor without the need for those secrets to ever leave the user’s device.
    No. 4: Most 2-factor solutions are similar with only minor differences in approach.
    Reality: While early two-factor solutions largely relied on hardware “tokens” that produced one-time passwords, the past few years have brought considerable innovation to 2FA. Many solutions involving SMS messages or other telephonic means are available. Others provide 2FA using either a mobile application containing a cryptographic secret or through keying information stored in the user’s browser. The degree of reliance on third-party services (either authentication service providers or telecom companies) is also a factor to consider, since breaches in these services have in the past resulted in authentication failure.
    No. 5: Two-factor authentication is an annoying compliance requirement with little material benefit to the business.
    Reality: Some businesses do treat two-factor authentication as only a compliance requirement, rather than as an opportunity to reduce fraud. Some even use technologies that barely qualify as two-factor solutions, such as browser fingerprinting in an effort to meet compliance requirements while minimizing user impact. A far superior approach is to use a flexible authentication mechanism that requires 2FA for higher risk transactions, while giving users the convenience of single-factor authentication for common, lower risk operations. This balances the convenience of users with the benefits of fraud reduction.
    Two-factor authentication does improve security, but it’s not the solution in all cases. Adopting the wrong 2FA solution can burden users with little security benefit. Understanding your users and the security threats you face is the key to a successful two-factor authentication deployment.
    Jim Fenton is CSO at OneID and is responsible for security design of the OneID identity system as well as oversight of the company’s corporate information security.

    1 comment:

    1. Awesome ! All these myths helped me to clear so many doubts regarding this mechanism. This article is a nice guide to help all the people who are learning about this process or is aware of it.
      electronic signature FAQ