Skip to main content

Is two-factor authentication enough?

The general consensus appears to be that two-factor authentication (2fA) is the answer to our authentication needs. Be that from usage of consumer sites in our personal lives or as part of our daily requirements when signing into enterprise infrastructure and applications at work.

However the cyber-attack on Three's customer upgrade database (opens in new tab) is yet another example of how 2fA is not enough. Organisations must move away from relying solely on usernames and passwords, as once again access was gained with a stolen employee login.

The misuse and abuse of systems utilising username and password alone is now so common that the security of identities is finally the leading item on most organisation’s agenda. People are now far more aware that username and password alone should not be trusted or used where possible, especially when large breaches such as Three’s are made public. Unfortunately, we can’t sleep easy just yet. Well documented hacks involving second factor methods are out there with many popular second factor methods being susceptible to interception.

The truth of the matter is that 2fA on its own will protect you some of the time but not all the time. Yes, 2fA being in place will normally deflect your average hacker, moving them on to an easier target. Determined hackers may not necessarily be put off though, and it is here that the problems lie.

The username and password attack vector has really just been moved along into another form. Examples such as the RSA SecurID token hack, the issues with SMS OTP (recently deprecated by NIST), compromised devices and poorly designed applications all lead to new areas of exploit for the hacker. Phishing attacks remain the most common form of identity theft. Using information gained from social harvesting and the user themselves, allows hackers to build up a great profile to use to go after any weak points around the user’s security measures.

Malware is now specifically written to go after tokens, yes those soft tokens popular now on smartphones. Offering OTPs that act as the second factor. The problem here is that really the OTP is just another password in the user’s possession, albeit with a limited life. Malware and basic phishing attacks can therefore be used to extract the OTP from the user and/or device.

The worrying thing is that if 2fA is already broken, why are organisations rushing to a broken security model? Maybe it’s a result of the perception that doing anything above username and password has to be a good thing. Then there’s the user, 2fA challenges do add to user frustration, degrading the user experience. This in turn leads to attempts to circumvent the security measures put in place, resulting in a solution that is merely an annoyance and often no more secure.

Placing 2fA in front of all applications is a huge overhead not only on the end user but on the admin and application teams charged with configuring the systems.Often we see single sign on being offered as a way to improve the user experience, following just 2fA, another huge issue that can lead to serious implications. It is not good enough to offer SSO based on just 2fA. Additional controls need to be factored in to monitor and continuously authenticate the user during their authentication lifetime.

The great advantage of proving a user through continuous authentication is the ability to offer SSO and not before. – A topic for another day. Most importantly we should not consider 2fA alone to be a silver bullet. Please don’t misunderstand me, I believe 2fA is a great starting point and a huge improvement compared to just relying on username and passwords, the issue is that we need to utilise additional pieces of information. We need to be taking advantage of the great contextual information that exists today around our identities, devices and locations, as attempts are being made to access our applications. 2fA alone, is neither the starting point nor the end point, it is just a piece of an ever changing jigsaw.

What should we be striving for?

We need to be pushing for solutions that are not static in nature, that reposition themselves based on the information presented as part an authentication workflow. Of course I am referring to adaptive authentication solutions that are not just capable of changing the course of an authentication attempt but also the authentication methods supported, by using real time contextual information.

The ability to layer together intelligence to not only drive dynamic decisions but ultimately provide a risk score and audit trail, provides a powerful solution that adjusts accordingly to the context of the user attempting to authenticate. Layers such as device recognition, IP reputation, geo-location, geo-velocity, geo-fencing, groups, entitlements, access histories and behavioural biometrics allow an overriding risk score to drive the authentication workflow.

A user identity coming from behind a Tor exit node for example can simply be blocked, redirected or stepped up to a particular type of authentication method. Stopping the risk associated with such activity at source becomes possible, before authentication methods are even offered to the end user. These layers allow an organisation to build a defence in depth strategic authentication solution that not only keeps the hackers out, protects the 2fA authentication methods but also improves the user experience. Yes – increase security and improve the user experience! Using the same intelligence gathered during pre-authentication risk analysis we can now allow a user controlled access without requiring additional authentication challenges.

Using this approach delivers a huge improvement in the user experience, the friction is removed. The user will only be challenged when necessary, should a risk indicator dictate. This allows us to move away from the broken model of just 2fA, into a model that allows invisible and continuous authentication.

The key here is being able to react not only to threats as they change and adapt (new layers) but to user’s requirements as they also change over time. I’m suggesting a truly flexible authentication solution that allows organisations to stay ahead of the hackers without being locked into a broken 2fA model.

James Romer, EMEA Chief Security Architect, SecureAuth (opens in new tab)

Image Credit: FreelySky / Shutterstock

James Romer has over 21 years of experience in the IT industry and identity security. He joined SecureAuth 4 years ago and is responsible for the technical consultancy aspect of the business advising prospective clients on authentication access. Prior to joining SecureAuth, James was the solution consultant / EMEA technical pre-sales manager at Courion Corporation and prior to that Senior IAM Consultant at Salford Software.