Security Newsletter

Security Newsletter

Is Two-Factor Authentication Enough?

The new “standard” regarding verification in IT security has become two-factor authentication. This is a process that can use a wide array of authenticators to allow a user access to an account. An example scenario of two-factor authentication could be: a user downloads a new application and enters their email address and corresponding password to create a new account (first factor). After this, a prompt appears to ask for a mobile phone number to send a 4-8-character pin, which is then entered in the prompt (second factor), authenticating the user. This is just one example of how two-factor authentication works. But, is this truly enough?  

There are many conflicting opinions regarding two-factor authentications. Many security professionals believe that it is in fact not enough, while businesses believe that it is. A 2016 Secureauth survey recorded that 99% of IT decision makers thought that two-factor authentication was the best way to secure identity and access. [1] The reality is that hackers are adapting and figuring out ways to intercept messages, breaching two-factor authentication methods.

So, what’s on the horizon for advanced authentication? Three factor authentications? Four factor authentications? Well…. yeah. Businesses are evolving to advanced authentications (several factor authentication). But is there a limit on the number of authenticators? Probably. At this point in time businesses are moving to systems that require additional levels of verification based on the sensitivity of the data. This can almost be thought of as a pyramid. The higher you get (or deeper into the data) the more complex it is to reach, meaning you need more authenticators.

So… what can a user do to ensure that their two-factor authentication is secure in the meantime? Use an authenticator (the google authenticator application is great) instead of an SMS password. SMS passwords are becoming more and more vulnerable as hackers are becoming proficient in sim card attacks. Defined below:

“A SIM swap attack, also known as a SIM intercept attack, is a form of identity theft in which an attacker convinces a cell phone carrier into switching a victim’s phone number to a new device to gain access to bank accounts, credit card numbers and other sensitive information.” [2]

Another measure to ensure that your two-factor authentication is “more secure” is to implement Yubikeys. Defined below:

The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance (FIDO U2F). … The 4th generation YubiKey launched on November 16, 2015.[3]

To summarize: a Yubikey is a piece of hardware that plugs into the USB port of your computer. This Yubikey works in conjunction with a username and password. If the username and password is compromised, but the Yubikey is not plugged into the USB port access will be denied.

Realistically, two-factor authentications should be a standard at this point. As time goes on things will change (as they always do in IT security) and, two-factor will become obsolete. In the meantime, making sure your business is at least up to par, and using two-factor authentication could help, and even add legitimacy to your businesses reputation.

By, Matthew McCaffrey



About the Author

Rachael Janz