A Verizon Report in 2012 identified password theft as one of the major causes of data security breaches in the past year. The situation has not changed much since the report came out. Organizations continue to be victimized by unscrupulous individuals and organized crime syndicates who find it easy to exploit the vulnerability that is inherent in the use of passwords as an authentication method. It is time organizations had a look at their authentication systems with a view to strengthening them.
One of the ways to strengthen the authentication protocol is to use a two-factor authentication (2FA) system (also known as two-step verification). What is two-factor authentication? Does it really strengthen the protocol?
The two-factor system introduces authentication layers. The second layer measures some physical attribute of the employee—such as an iris scan, a fingerprint, or a personally issued thumb drive—as an authentication factor. Alternatively, mobile phone two-factor authentication can be used as a second layer. In this scenario, a dynamic computer-generated code is sent to a mobile phone via text, voice call or mobile application.
How does the two-factor authentication work?
The first layer often involves entering a user ID and password. The second layer may involve using a finger printer or scanner or a thumb drive with adequate credentials encoded into it to facilitate access to the system, or entering the aforementioned dynamic codes. If either of the factors is mismatched, authentication may be refused. The system may be designed to lock out the user and create an alert if more than a specified number of attempts at authentication are made.
Is two-factor authentication secure?
Of course, even the two-factor authentication system can be broken by determined criminals. For instance, in 2012 a CloudFlare customer’s account was compromised despite using two-factor authentication security. An investigation identified that the account was hacked due to a Google App vulnerability. The vulnerability was fixed shortly, but this case highlights that two-factor authentication is not 100% secure. Nonetheless, it creates additional obstacle for attackers and makes attacks less of a threat.
Two-factor authentication is expensive to build and maintain, and if implemented incorrectly can actually increase vulnerabilities. The installation of the system also demands a certain level of technological expertise and managerial experience as its deployment can be complicated and demanding.
For organizations that want to implement two-factor authentication but lack the resources to build, deploy and maintain their own system, one option is to use an existing 2FA platform like Google Authenticator. This approach is popular with online consumer services, and is making strides in enterprise services as well. In the backup space, for example, Zetta introduced two-factor authentication using the Google Authenticator platform in August 2014.
Those who have implemented two-factor authentication technology are reaping the benefits of increased security, and those who are contemplating the investment are on the right wicket. With the availability of affordable, reliable third-party 2FA platforms, the technology will likely continue to proliferate across both consumer and enterprise markets.