Q
Problem solve Get help with specific problems with your technologies, process and projects.

How can two-factor authentication systems be used effectively?

Two-factor authentication systems require more than using codes sent through SMS and smart cards. Expert Michael Cobb explains how to properly and effectively implement 2FA.

In the recent past, we have seen many institutions using smart cards and one-time passwords (a code sent to a registered...

mobile number via SMS) as two-factor authentication systems. However, going by one of your previous articles, this kind of 2FA doesn't fulfill the requirement of true two-factor authentication, since both the card and mobile device are owned by the same individual. What are your views on the effectiveness of this method? Are there better ways to do two-factor authentication?

As I explained in my earlier article on two-factor authentication (2FA), the ways in which someone can be authenticated fall into three categories based on what are called the factors of authentication:

  1. Knowledge factors, or something you know, such as a password, PIN or personal knowledge question, such as the name of your pet.
  2. Ownership factors, or something you have -- this could be an ID card, a hardware or software token or a phone.
  3. Inherence factors, more commonly called biometrics -- personal attributes, such as fingerprints and face and voice recognition. This also includes behavioral biometrics, such as keystroke dynamics.

For a positive identification and to be classified as a two-factor authentication system, these systems have to verify elements from at least two of these factors. So verifying a user's password (knowledge factor) and proving they have possession of the correct hardware token (ownership factor) is 2FA, but verifying a password and the name of the user's pet isn't, as both are knowledge factors.

Plenty of online authentication systems send a code number via SMS to a user's mobile phone, which then has to be typed into a login page as part of the authentication process. This establishes that the user is in possession of the phone registered with that account -- this is an ownership factor, since the code does not count as a knowledge factor. To qualify as true two-factor authentication systems, the second identification check has to be something other than ownership, such as a password or biometric factor.

SMS-based verification is popular because it's cheap, easy to implement and provides a straightforward user experience, but these features don't necessarily mean that it is robust. In fact, although SMS codes are convenient, the National Institute of Standards and Technology's (NIST) recently released Special Publication 800-63-3: Digital Authentication Guidelines recommends that SMS should no longer be used in two-factor authentication systems. There are various problems with the security of SMS delivery that make it vulnerable as a means of establishing identity, including mobile phone number portability, attacks like the Signaling System 7 hack against the mobile phone network and malware that can redirect text messages.

NIST's recommendation will lead to an increase in use of other authentication technologies, including biometrics, USB security tokens and smart cards. Many are taking advantage of the FIDO (Fast Identity Online) specification, which supports a wide range of authentication technologies, particularly as no user information or encryption keys are shared between the service providers. The presence of high-quality cameras, microphones and fingerprint readers on many of today's devices means biometrics may well become the primary authentication factor soon.

Any enterprises that use authentication systems that rely on only one factor of authentication should do a risk assessment to see whether their system provides the relevant level of security for the data or application to which it is controlling access. Enterprises running networks with sensitive resources should consider upgrading to multifactor solutions that can provide context and constant behavioral checks.

Factors such as geolocation, type of device and time of day add context that helps determine the level of trust and whether the user should be authenticated or blocked. Behavioral biometric identifiers, like a user's keystroke length, typing speed and mouse movements, can be discreetly monitored in real time to provide continuous authentication, instead of a single, one-time authentication check during login. These are fast becoming essential checks to prevent unauthorized access to enterprise and user data.

Next Steps

Find out how enterprises are using behavioral biometric technology

Compare the pros and cons of two-factor and multifactor authentication

Learn how to keep user roles and privileges aligned in your enterprise

This was last published in January 2017

Dig Deeper on Two-factor and multifactor authentication strategies

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which authentication methods does your enterprise use?
Cancel
2-factor authentication is indeed essential today given the vulnerabilities of passwords. To make things convenient for users it's best to have a common 2nd factor for all applications (PC log-in, VPN access, document print release, building door access). This is most easily and cost effectively achieved using a multi-function smart card. Having one card for logical(IT) and physical (door) access naturally compels staff to carry their ID card with them at all times; avoiding workstations being left unattended while still logged-in. Unifying physical and logical access can also be taken further by adding an element of geo-location validation, based on a user's latest door interaction. IT access permissions in Active Directory can take account of where users are with the addition of EdgeConnector, so remote access requests can be denied for any user known to be on-site, and access to sensitive data or apps can be confined to secure areas.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close