The five myths of two-factor authentication
The five myths of two-factor authentication

Every day, people find new reasons to go online to access goods and services. Shopping online is convenient and offers broad selection that local businesses often just can't touch.
 
And shopping online keeps consumers out of their cars. A recent survey of adults who use the internet found that fuel prices prompted them to shop online more often, and for a wider range of goods and services.

Unfortunately, this growing dependence on online business hasn't gone unnoticed by opportunists looking to exploit online victims. 
 
Identity theft and online fraud are on the rise. Between December 2007 and February 2008, researchers measured a 70 percent increase in phishing. When internet users fall for phishing scams, they can unwittingly hand over an array of sensitive personal information, including user names, passwords, credit card numbers and Social Security numbers.
 
The costs are dear. A Gartner study reported that businesses lost $3.2 billion due to phishing in 2007. In addition to monetary costs, the targeted company also suffers damage to its brand.
 
Beyond user names and passwords
Facing a climate in which both opportunities and threats are growing daily, online businesses are looking for ways to strengthen the authentication they provide online.
 
Among these is two-factor authentication (2FA), a stronger form of verification that has been successfully implemented within enterprises for 15 years.  Two-factor authentication combines what the end-user knows (such as a user name and password) with what he has (such as, a one-time password generated by a physical device). A user can't successfully sign on without both. It's a combination that makes it very difficult for criminals to gain authorized access to accounts and information, because the thieves must possess not only the username and password, but the consumer's physical credentials as well.
 
To use 2FA, consumers acquire a credential -– available in a variety of convenient formats -– that generates a one-time password for every sign-on. During an online session, this one-time password is entered along with the user's usual account name and password. Users achieve strong authentication and secure their identities when the site verifies the one-time password and matches it to the user.
 
It's true that the models implemented over a decade ago to deliver 2FA to the enterprise don't meet the needs of today's complex and convenience-oriented consumer environment. Yet 2FA for consumers is not beyond the reach of organizations seeking to protect their customers from fraud -– and to differentiate themselves from competitors by offering state-of-the-art online security.
 
Still, concerns about the convenience and cost of this protection seem to cloud most discussions of 2FA. It doesn't take long, however, before a small amount of research can reveal that these perceived shortcomings amount to little more than a fragile set of five myths.
 
Let's visit each, and discuss where the myth ends and reality begins.
 
Myth No. 1: Consumers will need to carry dozens of credentials with them to log in to all their online accounts, and this will make 2FA a burden for users and impractical for site operators.

This is the so-called “token necklace effect” that critics claim has haunted 2FA, but the specter of a single consumer laden with multiple credentials isn't inevitable. A shared network of member organizations could make 2FA easier and more convenient than ever by allowing users to carry a single, portable credential that is recognized on all member sites. (Credentials today are available as a key fob token, credit card sized credential, or even software that's downloaded to a user's cell phone –- all of which generate an one-time password.) When companies join a 2FA network, much like an ATM network, the dreaded necklace of tokens is unnecessary.
 
Myth No. 2: Judging from what enterprises have spent on their implementations, 2FA is just too expensive for the consumer market.

2FA is now available through managed services and shared network models, which have allowed strong authentication to break out of the premise-based enterprise model and cost-effectively scale 2FA protection to a consumer audience. Online businesses now can take advantage of third-party hosting of the infrastructure needed for 2FA, along with easy integration of web services, to reduce deployment expenses and share maintenance costs with other network members. This reduces both short and long-term investment requirements.
 
Myth No. 3: It's risky to invest in a 2FA platform based on today's consumer preferences, when tomorrow's consumer preferences could be totally different.

Organizations can “future-proof” their 2FA offering by choosing solutions that comply with the open standards of the Open AuTHentication (OATH) reference architecture. With an OATH-compliant 2FA solution, companies can avoid becoming locked into one vendor's authentication credentials. OATH-compliant systems can support any similarly compliant form factor, including tokens, cell phones and PDAs. More than 70 manufacturers produce OATH-compliant solutions today, providing organizations an enormous variety of options for the consumers they serve.
 
Myth No. 4: Whatever advantage the 2FA network model may offer, it's not enough to draw new members into these alliances.

Aside from the obvious benefits to consumers –- using a single credential across thousands of sites –- and the cost advantages that come with sharing network expenses with other members, signing on to a 2FA member pays other business dividends. For instance, the ability to transfer the trusted relationship across all network members can be leveraged to strengthen online affiliation and build sales channels. For example, eBay and PayPal both belong to the same 2FA network, and an online retailer can notify those companies' communities that the same tokens consumers use for eBay and PayPal can also be used at the retailer's site. That represents a competitive advantage in a market where differentiation can be tough to achieve. And by leveraging their reputation as an innovator that puts the security of customers first, businesses can burnish their own brands in ways that can generate new sales opportunities.
 
Myth No. 5: Consumer 2FA is long on hype but short on real-world successes.

The brief history of consumer 2FA has certainly not rewarded organizations using premise-based, proprietary systems and credentials –- in other words, credentials that can only be used at a single online business. If consumer 2FA implementations have stalled, it's because these models have not delivered the results, efficiencies and scale they promised. That's not the case with managed service providers, which have successfully implemented the network delivery model and have brought on an impressive number of online brands.
 
Battling the irrelevant
These five myths all mirror outdated perceptions of 2FA, perceptions based on decade-old enterprise models that are irrelevant to today's consumer paradigm. Today, successful online businesses are leveraging industry standards, managed services and shared networks to deliver comprehensive two-factor authentication for consumers.
 
Poking holes in these myths merely requires a balanced assessment of the risks faced by consumers, the cost of implementing 2FA, and the resulting quality of the consumer's online experience. Doing so will reveal why it makes good business sense to protect a company's customers -– and its own vital interests –- with a strong two-factor authentication solution.