Expert advice: Does two-factor authentication protect you from hackers?

This response is the full answer to a user question in the Ask the Expert section. To read the full question, click here.

Two-factor authentication is good, but doesn't make it impossible for someone to hack into your system. It might make breaking into the system harder, or it might merely make you feel better (which is not without merit). In general, two factor is better than one factor -- no one would dispute that. On the other hand, improperly setting up a two-factor system may just make it easier for someone to continue to use a stolen credential. This is the same as the classic single sign-on problem: If someone compromises a credential, they can do more with it. The system may be stronger, yet more brittle.

All factors have problems with them. Here are some overviews:

* Any "something you know" credential is attackable from brute force. Passwords and passphrases can be guessed. Often, we're saddled with so many of them that we duplicate them, reuse them. Often they're stored in a plain-text database and mailed back to us in plaintext. Attempts to make them more secure often have other adverse consequences. I once signed up for a service, whose name I won't mention, that had excellent security policy around their passwords. It was so good that when I inevitably forgot mine, their support could not help me.

* Any "something you have" credential is basically a key. I think that objects are perhaps the best credentials there are. Nearly all of the security that I do on a day-to-day basis is a single factor with some sort of key. My house, my car, my garage, and my office are all single-factor based on some simple object -- and all but one is on a single keychain. On the other hand, at least with an object, you know when you've lost it a lot quicker than you would with something you know.

Alas, when this gets to a network, it becomes less secure. Some very nice network systems are at their core just a simple key with some electronics and software. Many tokens are implicitly themselves two factor, because you have to use a PIN or password with the token itself.

Reliability, meaning loss and compromise, are harder to work into a system that uses objects. If someone loses their object or it just stops working, you have to get them a new one.

* Any "something you are" credential seems to be the best, but they're frequently the worst. Unlike the others above, they're probabilistic. This means that an attacker only has to get close. The loss scenarios are difficult -- we all leave fingerprints on everything we touch. There has recently been a flurry of papers on beating biometric systems, and the breaks are often embarrassing to the manufacturer. This is particularly in the area where they're most useful, the economic low end. Biometrics fall down most when put on a network (because the attacker might be able to slightly modify a snooped transaction) and when the reliability aspects factor in. It's trivial to get someone a new password. It's only a little annoying to get them a new token. It's hard to know what to do if someone's fingerprint has been compromised. When the day comes a database of customer information including biometric information is lost, stolen, sold by an employee or just had something odd happen to it, expect the lawsuits to fly.

Getting back to the core of your question -- is two-factor authentication more secure than one-factor? Yes. A smart card and a PIN is more secure than either alone. Is it more reliable than one-factor?

Maybe, maybe not. It depends on how you set it up. Does it have less risk? No. It has different risk. The risk of an intrusion is lower. The reliability risks are probably higher, but how you work with those differs, say, with employees than customers. Other risks are almost certainly higher. If one of your employees sells your databases to outsiders, the more you have in the database, the worse it is for you.

If your customer list is sold, that's bad. If that list included passwords, that's worse. If it included credit card information, that's also very bad. If that list included smart card secrets or biometric data, then you're in a whole lot of trouble.

This is why security decisions can't be made in a vacuum. You didn't tell me what your problem is or even what your goal is. Do you want employees to badge in and type a PIN as they enter the building? Do you want your customers to have something other than their dog's name confirming a purchase? These are different situations entirely. Hackers are only one thing to worry about. Hackers also do more than just steal user credentials.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Tech Tips,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Token and Smart Card Technology First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Embedded smart card chips are open to hack attacks Tech Tips Video: The foundation of an email security strategy The 5 A's of functional SAN security Effective storage security policies Smart options for safeguarding stored data Outfox SOX: How to make regulations work for you Roberta Bragg's 10 Windows hardening tips in 10 minutes Using free network intrusion detection and prevention tools to stop hacks Hacker techniques and exploits: Prevent system fingerprinting, probing How to stop hacker theft: Employee awareness, risk assessment policies Information Security Decisions Fall 2004: Speaker presentations RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.