Moving towards two-factor authentication


Protecting data in the digital age is essential. Recent years have seen a decline in “recreational hacking” and a new wave of commercial hacking as illustrated in the example of the keystroke logger placed at the Sumitomo bank in an effort to steal £220m earlier this year and the various efforts at Denial of Service (DoS) blackmail.

Attempts such as this display the ingenuity, persistence and proliferation of commercial hackers and has led to an increase in concern for protecting crucial systems from unauthorized access. Many businesses stand to lose enormous amounts of money as well as investor confidence from such security breaches.

One step towards preventing these breaches is two-factor authentication (2FA).

Two factor authentication is nothing new. You use it every time you use an ATM, inserting your card and tapping in your PIN. It involves using "something you have" and "something you know" and usually consists of using a password and another form of authentication such as a smart card, biometric data (fingerprints, retinal scan) or token.

The last few years have seen a surge in both uptake and development of this technology. Microsoft has promised that the latest version of Windows, "Longhorn" will offer some kind of two-factor authentication support, and IBM has been offering fingerprint scanners on their laptops since late last year. "Chip and PIN" has spread across the country with incredible alacrity since its introduction in 2003, and two factor authentication software tools have even been written for Linux systems. It is already standard in the internet banking systems of many countries – the Swiss have been using it for years and the National Australia Bank currently uses SMS-based authentication in conjunction with online banking access.

So what are the benefits of using this technology for end users? Clearly, adding another layer of security to any system is a bonus – it has been rumored that Gary McKinnon, the "world's biggest hacker" could have hacked into US military systems by checking whether users had used "password" as their password. Two factor authentication would prevent this – a user would have to be physically present with a fingerprint, voiceprint or smartcard in order to access the system. It would lower the risk of consumer identity theft and unauthorized corporate system access.

As well as the added layer of security, 2FA offers a number of other benefits. Intelligent systems will offer reduced systems access when physical presence authentication is employed by users who have forgotten their passwords. Keystroke logging, password trapping and "shoulder surfing" will also no longer be a problem.

However, it can be a burden to IT managers. Less advanced systems may lock out users who forget their passwords or lose their tokens / smartcards. This puts a burden on the helpdesk to have both forms of ID readily replaceable. Biometrics may also not be 100 percent reliable, according to various apocryphal news stories about users who have fingerprints too faint to detect, or systems which fail to robustly recognise fingerprint or iris information. Home workers and travelling execs may have significantly worse problems if they are locked out of their systems and cannot access their data for corporate presentations, for example.

And where is it all heading? Mainstream consumer usage is one avenue, but the main route for 2FA to take is within the corporate sphere, where data security is more of a premium. Solutions integrating passwords with other forms of access can be very costly so the business world will most likely see a larger uptake in 2FA than the consumer domain, although as we have seen, forms of 2FA such as SMS and "Chip and PIN" have proven both functional and cost-effective in this domain. Having to double-authenticate in order to access each application will be irritating for end-users, so many businesses may consider implementing a single sign-on system to counteract this.

Like other security systems, it has its critics – it won't, for instance, prevent attacks using trojans or "man in the middle" attacks but it will stop keyloggers and other password-based attackers. Nor will it prevent disgruntled employees from causing chaos from within the company, or disclosing information to third parties. Companies using forms of 2FA which depend on users having physical smartcards or tokens will also be vulnerable to theft of such devices, in which case acquiring a user's password would be sufficient to access the system (although it would have to be the password of the device owner). This level of attack would require a level of co-ordination and dedication which would daunt all but the most determined of hackers.

Without inconveniencing the user and forcing them to spend long periods of time authenticating and re-authenticating, 2FA gives a good standard of security against simple attacks such as Gary McKinnon's alleged password guesswork.

The author is EMEA Director of Passlogix

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.