Username and password have long been the main method of authentication—and they remain so. But other authentication factors are often added to passwords to improve security. How well do these multi-factor authentication approaches work, and should businesses approach them?
The Password is Still King
The password is familiar, and everyone knows how it works—or, at least, how it’s supposed to work. It’s essentially free. It can be used on any system, using any platform, by anyone. The password is anonymous and its use does not compromise privacy. It can easily be replaced if compromised.
According to SplashData, the two most common passwords of 2017 were still the long-time champions, 123456 and password. And people are certainly known to share passwords. So, despite the virtues listed above, passwords have one great defect: alone, they can be almost useless for security.
This is where multi-factor authentication approaches come in, typically with just one additional factor, for two-factor authentication (2FA).
A brief overview of two-factor authentication
There are three primary authentication factors used in a multi-factor authentication process:
- Something the user knows, such as a password.
- Something the user has or has access to, such as a token, smart card, or, most often, a registered phone number.
- Something that is part of what the user is, such as a fingerprint, iris scan, or facial recognition.
Currently, most 2FA implementations rely on the first two. Biometrics as an authentication factor will likely be increasingly used but has its own problems, discussed at length here.
The idea is that the two factors are completely independent. An attacker might get one, but getting the second would require a separate effort. With only one factor, login is still impossible.
And what is real 2FA?
The most familiar form of 2FA is when you put in your password, are sent a one-time password via a SMS text message to your mobile phone, which you then enter. So: two factors, password (something you know) and your phone (something you have), right?
Technically, though, this is known as two-channel or two-step authentication, since the code you get is also something you know. This distinction can lead to endless academic discussions, but it also allows for clearer security analysis. It turns out to be easy to assume two pieces of information are independent when they have an exploitable degree of connection.
Regardless of accurate terminology, the world will continue to call this 2FA—and so will this post.
SMS 2FA has a variety of vulnerabilities, including the possibility of number reassignment, which could allow an attacker to receive the confirmation code. For this and other reasons, the NIST no longer recommends SMS-based test message two step verification.
But companies and customers will continue to use this form of 2FA, because it is easy, straightforward, and takes advantage of a sophisticated device that most people already own: a smartphone. And at its worst, it is no less secure than the original password—it introduces no additional vulnerabilities.
Convenience and usability vs. security
What’s the best form of personal cybersecurity? The one you use. Companies face a variety of other attacks from other directions, and user error is one vulnerability they really want to minimize.
This is where other forms of 2FA that involve a “something you have” factor more robust than an SMS message, such security keys, fobs, and smartcards, have problems, particularly for consumers rather than employees. Something like a Yubikey really does provide a good degree of security—but it requires the user to carry and use another piece of hardware, one that does not have Facebook on it, and is thus easier to forget.
If lost keys result in calls to the helpdesk, the expense of security can rise unsustainably.
Security can be a brand value, but ease of use always is. Businesses will need to balance the two, and various forms of 2FA, properly implemented, will make their job easier.