Two-Factor Authentication: The Death of the P4ssw0rd?

Despite a rise in awareness of insecure passwords, they continue to persist; ‘Password’ and ‘123456’ are still the most commonly stolen passwords online.

Last year, we saw many examples of leaked company data due to password weakness. For example, hackers stole the login credentials of a JPMorgan employee and, as a result of a server lacking two-factor authentication, information about over 83 million customers.

If a hacker or any unauthorised user has access to another user’s password, then the hacker can simply login to that user’s account, rendering the password requirement useless, regardless of whether it has taken seconds or years to decipher.

To ensure adequate protection against hacking, two-factor authentication (2FA) can be implemented. Though it is by no means a perfect security solution, it is undoubtedly an important tool in overall password strength.

2FA combines a static password with a one-time-use access code. Authentication can be made up of multiple factors, and by using several in conjunction, the user can decrease the likelihood of a hacker gaining access to sensitive data.

A hacker will require both the password and access to the device or software generating the ‘one-time password’ in order to access the account. Security specialists have traditionally recommended making use of the factors outlined below:

What you know

Usernames, passwords, PINs, patterns and other personal details are often the most basic method of authentication. Unfortunately, they constitute information that the user may inadvertently give out to someone who may then gain access to the user’s account.

What you are given

When it comes to banking and finance, many users are given a physical token or software token that generates a seemingly random string of numbers and characters. This ‘one-time password’ has a limited lifespan before becoming invalid. It can also be delivered via SMS or telephone call.

What you are

A far more complex means of authentication will rely on biometrics. In this case, authentication will often require the user’s fingerprints, iris scan, or voice recording. While this method is clearly more costly and inefficient, it has already begun to enter the mainstream (e.g. Apple’s iPhone 5S).

Where you are

Another highly technical solution is one that works in conjunction with GPS to locate the user, who will then only be able to login in a specific area, making it arguably the most secure method of authentication.

Gaining Momentum  

Fortunately, 2FA has become widely adopted among industry leaders. Google, which grants user access to a number of its applications on one password alone, has introduced 2FA by sending a unique code to users via SMS.

This approach has also been adopted by LinkedIn, which contains a great deal of corporate data. While Facebook is perhaps less business-critical, it is undoubtedly used widely in corporate environments. Its sheer volume of users has required the company to implement a 2FA that identifies new browsers used to make each login (despite this feature being overlooked on the mobile app).

These examples indicate a growing trend among some of the world’s most popular websites.

However the popularity of 2FA not be growing fast enough. Several high profile hacks last year were carried out on administrative passwords alone, echoing warnings by security experts: the breach of a single server or employee account can be fatal to an organisation.

Without 2FA, hackers can move inside a corporate network simply by exploiting the security holes in the computers of low-level employees. Adding extra layers of authentication is key to limiting this threat.

Although the password may not be dead yet, it certainly needs reinforcement.

Andrew Tang is service director for Security at MTI.