Passwords have been the primary means of verifying user identity since the need to protect data emerged. A growing user population requires access from an array of mobile devices, and the amount of information stored on servers and in the cloud continues to grow, providing more opportunity to conduct business on-the-move.
With this increased opportunity comes heightened vulnerability as more hackers try to tap into that information. Because users are in a rush, there are more temptations to use easy, familiar passwords to access their corporate network or cloud storage.
Let’s examine how developing and implementing a strong two-factor authentication system is vital to help protect your organization from a security breach.
Two-factor authentication, also known as 2FA, is an extra layer of authentication and verification that goes beyond the basic username and password security model. Without two-factor authentication, you enter your username and password, and then you're done. The password is your single factor of authentication. However, using the same username and password for multiple accounts increases the risk of identity theft.
Two-factor authentication is a recommended best-practice for protecting sensitive data, and is sometimes required by law when handling certain types of information.
The key to gaining unauthorized access to data is the theft of user credentials—such as passwords—using them to access accounts, and then hack into servers or databases, or deploy malware to steal sensitive information. When people have strong and unique passwords for each and every service, the need for two-factor authentication is lessened.
Determining and remembering strong and unique passwords for multiple accounts can be difficult, so many users abandon safety for convenience. The Verizon 2014 Data Breach Investigations Report found that two-thirds of breaches are the result of weak or stolen passwords.
You use 2FA so that the failure of one factor does not grant access to attackers. Therefore, if a password is one factor, then the second factor can protect you if the password turns out to be weak.
Using two-factor authentication adds an extra step to the basic log-in procedure, giving would-be hackers two levels of protection to crack. Overall, this greatly decreases the chance for a successful attack. Reducing the dependency on passwords improves the user experience and ultimately decreases vulnerability throughout the network.
There are many methods to achieve "two-factor" authentication, but most involve augmenting a username/password with an additional, independent factor.
Note: SSH keys or SSL certificate-based login may be considered two-factor authentication—you present the key (something you have) and use a passphrase to unlock it (something you know). However, the server does not know if you used a passphrase, so it does not know if there were two factors or just one.
Two-Step vs Two-Factor Authentication
Two-step verification combines a user login—including a password—with physical access to a smartphone or landline telephone to verify authorized access to an account. A user can begin to log into a secured service by entering an ID and password, but then must receive a one-time code (OTC) or one-time password (OTP) via SMS texting or a voice telephone call using a phone number associated with the account. Entering this additional one-time credential constitutes the second step of verification or the second factor of authentication, with the idea that only someone who knows the correct account password and who physically possesses the required object can gain access to the account.
This approach is offered by many sites to authenticate a user when an account is accessed from a new device. For example, if a user buys a new desktop computer or is connecting from a new mobile device, or a different device than any of those used previously, the user may be required to complete the additional authentication step.
This version of advanced login security is often referred to as “two-step verification.” Many data security experts, media reports, and websites also refer to it as “two-factor authentication,” and the two terms have begun to be used interchangeably. Others in the industry, including cryptography experts and developers of advanced authentication solutions, define the two terms differently and draw important distinctions between them.These distinctions cite fundamental differences in security infrastructure and methodology, which are vitally important in understanding respective levels of data security and the ability of various authentication methods to protect users and organizations from hacking.
How Secure Is Two-Factor Authentication?
The security of two-factor authentication really depends on how it is implemented, the scenario in which it is deployed, and the resources available to an attacker who attempts to defeat the selected method of two-factor authentication.
How Is Two-Factor Authentication Implemented?
Most methods used to achieve two-factor authentication involve supplementing a username/password with an additional, independent factor. Some common two-factor authentication methods and their challenges are listed below. For more sophisticated protection, more than two of these factors can be combined to achieve multi-factor authentication (MFA).
Offline One-Time-Password (OTP) Generators
Offline OTP generators include traditional OTP tokens—a piece of hardware or software used to generate a multi-digit code, proving possession of that token generator. The token seeds both the generator and the server with the same symmetric secret, and uses a mathematical algorithm to generate the one-time password based on either the current time or a counter. These solutions are ideally implemented in a discrete piece of hardware, but they can also be implemented in software that can run on a mobile device. This approach allows authentication without requiring the generator device to be connected to the network.
Security of the system depends on key elements:
-
Security of the seed: If either the OTP generator or the server used to validate the password is compromised by an attacker to gain access to that seed, the security is broken. The attacker can then generate the correct OTP at any time and—if the attacker also possesses the first factor of authentication (username/password)—impersonate the end user.
-
Security of the channel used to submit OTP: As noted above, the OTP generator itself is offline; the OTP generator is used to create a one-time password that the user submits using a device that is connected to the network. Unfortunately, if the device used to send the OTP is compromised via malware, or if the user is socially-enticed into submitting this information into a fraudulent web site, the attacker then has the ability to perform a single authentication on the user's behalf.
-
Security of the token hardware: It’s important to make sure that the hardware token is delivered to the correct end user, and not intercepted!
In addition to the security challenges listed above, hardware OTP tokens also suffer from a number of other shortcomings:
-
Usability: End users must copy the OTP from their token device to the device requesting authentication. Correct transcription of the six to eight digits can be a challenge for users. Users can become frustrated with failed attempts, and may then resist the requirement to use 2FA. When OTP is deployed using a software app on a mobile device, the usability problem is increased, because the user must switch between one device and app to generate a one-time password, and the original device and app to enter the OTP.
-
Deployability: In the case of hardware OTP tokens, the cost to purchase, configure, and distribute tokens to end users can be significant. This means that many large organizations will only deploy 2FA to a subset of users. Use of mobile devices as OTP generators somewhat reduces the costs, but raises the possibility that malware on the mobile device could steal the symmetric secret which seeds the OTP generation algorithm.
-
Maintainability: OTP tokens have additional hidden costs. Hardware tokens require batteries, and users may lose, break, or forget tokens—the cost of replacement or deployment of temporary alternatives can be significant. In addition, some hardware tokens have a built-in lifetime; essentially, the token is a perishable good that will expire after a specified time.
While tokens provide hardware-based security, they only do so if you trust that your vendor will not be compromised, are confident that your users don't enter their OTP indiscriminately, protect the OTP secrets on your OTP server, and don't mind the associated costs. OTP generator apps on mobile devices address some problems with hardware tokens, but there is an elevated possibility that the symmetric secret on the phone may be stolen by an attacker, with or without physical access to the phone.
SMS/Voice One-Time Password Delivery
Instead of using a dedicated hardware token, or even an application, some vendors deliver solutions that send a server-generated OTP to the user with either an SMS text (sent to the user's known phone number), or a phone call that uses text-to-voice synthesis to read the OTP aloud.
The security of the system, using this solution, depends on slightly different elements:
-
Security of the channel used to deliver the OTP: Possession of the phone number used to receive the OTP is the critical security factor for this solution. If the end user’s phone is stolen and the thief knows their username and password, they can impersonate the end user. It may also be possible for an attacker to receive the end user's SMS or phone calls by cloning the mobile phone's SIM card. Or, an attacker may simply socially-entice the phone company or the service provider into redirecting SMS or phone traffic to a new number ("I lost my phone, can you forward my calls and messages to xxx-xxxx?"). Finally, the user may be tempted to install software to intercept and forward the OTP to the attacker, as is the case in the more sophisticated Hesperbot attacks against online banking applications.
-
Security of the channel used to submit OTP: If a user receives the OTP securely, but enters it into a compromised application or web browser, an attacker may be able to perpetrate a real-time attack to gain a valid session with the service provider.
Although the problems with deploying and maintaining traditional OTP generators may be avoided using SMS and voice-delivered OTP solutions, many of the same usability challenges remain. There are also the following drawbacks:
-
Cost variability: In some cases, the cost of 2FA will be administered at a set cost per SMS or voice call delivered. It can be challenging to predict transaction volume, and the costs for delivery may also be variable. This can make budgeting a challenge for IT organizations.
-
Reliability: It is necessary for users to possess their phone and have reception to use SMS and voice-delivered OTP. This can be especially problematic in specific situations. For example, a user who is roaming across international borders may not receive SMS messages in a timely fashion or would incur additional delivery costs. In some situations, operating environments may prohibit or interfere with the use of phones; in particular, healthcare environments that include electromagnetic shielding areas can be especially restrictive.
In most cases, SMS is easy to deploy and relatively inexpensive, making it attractive for consumer banking and consumer Internet applications. That said, it's painful to use (especially in mobile-only applications), and the security offered is probably not as high as what may be desirable.
Push Notification-Based Authentication
Push notifications solutions use a dedicated mobile app to receive requests to approve an authentication attempt.
The security of push notification-based authentication will depend on how the solution is implemented:
-
Security of encrypted material: The mobile application may use public key encryption, allowing the phone to generate an encrypted response to a challenge delivered by the push notification; or, symmetric secrets may be used (in some cases, the push notification acts as a layer on top of customary OTP, with the app essentially acting as a way to address the OTP usability issues). The security of these solutions will depend on the security of any symmetric keys, private keys, or session tokens supplied to the device.
-
Security of the channel user to deliver the push notification: This will depend on the particular push notification service used.
Push notification-based systems address the deployment and maintenance issues of traditional OTP generators, and the cost issues of SMS and voice-delivered OTP solutions. They also have the advantage that the device and channel used to approve an authentication request is independent from the channel originally used to instigate the authentication request.
However, there are still issues with this solution:
-
Reliability: Like SMS and voice-delivered OTP, the effectiveness of push notification-based solutions depends on the reliability of the data connection. However, there is usually no per-authentication transaction charge, making these solutions less expensive.
-
Device security: Sometimes, possessing the end user's device is all that’s required to compromise their account; some solutions may not even require a username and password to trigger authentication, and may not require users to authenticate to their phone to approve an authentication request.
Takeaways
The need to protect data will only increase as our online business and need for remote access grows—and as the motives and methods of attackers evolve.
While we educate and train users to be cautious and develop means to shield identifiable information from hackers, the desire for speed and convenience will often overcome the recognition of vulnerability.
Using two-factor authentication provides a protective layer that can help make sure your sensitive information is only accessed by those who are legitimately authorized to reach it.
How Does Symantec Help With Two-Factor Authentication?
Symantec’s strong user authentication solutions provide convenient, secure, cloud-based two-factor user authentication and public key infrastructure (PKI) services for protecting online identities and interactions between consumers, business partners, and employees.
Symantec Validation and ID Protection Service (VIP) gives users the ultimate in convenience for validating a login from a smartphone or tablet. Simple, smart, secure.