Recently Apple joined a growing number of major consumer brands like Facebook, Google, Microsoft and PayPal in offering two-factor authentication (2FA) to help customers better secure their user accounts against hacking.
Two-factor Web authentication systems rely on hardware-based security tokens that generate passcodes that are valid for about 60 seconds and must be entered along with a password.
For Apple Inc., the new feature is designed to block unauthorized changes to iCloud or iTunes accounts and prevent attackers who steal Apple IDs from making purchases using the credit cards stored in customers' iTunes and Apple store accounts.
While most information security professionals are quite familiar with the concept of two-factor Web authentication, for those who aren't, it is a more rigorous and complex method of authenticating an account then with a simple password-only process. In this tip, we'll examine the benefits, challenges and technical considerations of implementing two-factor authentication in a consumer-facing website environment.
An introduction to two-factor authentication
A password is inherently weak. It can easily be lost or forgotten; many people write their passwords down where they can be seen by others; some use the same password over and over or use weak passwords that can be easily guessed.
The use of two-factor Web authentication ensures that this won't happen. A password is one of two necessary authentication factors that must be provided before access is granted. All 2FA systems are based on two of three possible factors: a knowledge factor (something the user knows, like a password), a possession factor (something the user has, like a token; more on that below), and an inherence factor (something the user is, such as a fingerprint). In this scenario, even if a malicious party obtains a person's password, he or she would not be able to provide the relevant second element needed to complete the authentication process. This lowers risk and the potential for unscrupulous behavior, as a compromised password alone is not enough to compromise the authentication system.
In the enterprise, two-factor Web authentication systems rely on hardware-based security tokens that generate passcodes; these passcodes or PINs are valid for about 60 seconds and must be entered along with a password. In a consumer-oriented Web-based environment, it's cost-prohibitive for a service provider to distribute physical tokens to each and every individual user.
Instead, most websites ask users to undergo a one-time registration process during which users register one or more of their mobile devices with the website provider. This is a trusted device under the users' control that can receive a verification code via SMS or another means to verify the user's identity.
Any time a user signs into the website, a passcode is sent to the registered device. The user must enter the password and verification code to fully sign in and use the services.
2FA Web authentication: Challenges and considerations
In consumer-oriented environments, the challenges lie in the complexity of it, where the consumers have access to more than one service from the service provider and each requires seamless and secure transactions. If the second factor of authentication is not secure then it's not worth implementing at any cost. Thus it presents a critical and challenging requirement that the 2FA system should be protected in such a way that the hacker or attacker cannot get to it and compromise its integrity.
Further, it's difficult to integrate two-factor authentication seamlessly with an entire service portfolio or set of Web products. It requires the website and product development teams to understand changing consumer needs and business scenarios so that increased customer security doesn't negatively affect sales, registrations or other metrics of business success.
Another challenge is interoperability; every organization does business with other organizations, and users or consumers access other providers' services. So interoperability becomes an important challenge to address while implementing the 2FA. This involves considerations such as whether to buy or build a 2FA product that is based on an industry standard (the burgeoning FIDO Alliance is a compelling new option), and whether to plan for interoperability with the authentication mechanisms offered by other major Web brands, like Facebook or Google. Don't underestimate the challenge of implementing an interoperable, user-friendly 2FA system that keeps consumer account details secure.
Be sure to consider exception scenarios such as when a user can't receive a text message while traveling overseas. The solution might be an app for smartphones or tablet/laptops that can generate security codes on its own with simple steps to set up the app before starting the travel.
Web 2FA costs
The costs associated with planning, procuring, deploying and supporting a Web authentication system must be considered early on. There are one-time development and deployment costs, including the development/customization, installation and configuration of the system, and the cost of customization and integrating it with other applications. There are also ongoing system infrastructure costs for hosting the system.
Finally, factor in support costs for ongoing support and administration of a 2FA solution, including helpdesk staff members who can help consumers resolve their issues in a timely fashion.
To lower costs, organizations can subscribe to SaaS security vendors that provide a two-factor authentication service for combining cloud-based delivery and self-service administration with flexible authentication methods with low per-user costs. They are also easy to provision and inexpensive to maintain.
Every Web service provider should consider using two-factor authentication -- or begin moving Web authentication strategies in that direction -- to better secure the online services they provide and the safety of consumer data and account details.
About the author:
Ajay Kumar is an information security manager who has worked for a decade in the information security and risk management domain and has expertise in infrastructure security, identity and access management, threat and vulnerability management, data protection and privacy, cloud security and mobile security. He specializes in the planning, design and implementation of the security services and systems required to protect the confidentiality, integrity, privacy and authenticity of the information stored in enterprise environments. Ajay can be reached at firstname.lastname@example.org.
This was first published in June 2013