Two-factor authentication: Hackers aren’t dummies, so you shouldn’t be
A perpetually connected world is a great concept – in theory. But the more connected we are, the more passwords we have to remember, and the more risk there is that something critical will become compromised because a user got lazy and used the same password in two places. Hackers aren’t dummies – they know people are, by nature, prone to take the easy path, so once they get a set of credentials, it’s little trouble, and often profitable, to try it on other accounts they find that are owned by the same user.
Since attackers are getting better and better at collecting user IDs and passwords through mechanisms ranging from brute force attacks to social networking, passwords aren’t enough anymore. There has to be another way. In many cases, that way is two-factor authentication.
Two-factor authentication doesn’t just rely on passwords, though it may use them as part of the solution. Instead, it requires the user have at least two of three things: something he or she knows, such as a password or a PIN; something he or she has, such as a token, smartphone, swipe or proximity card; and something he or she “is,” such as a fingerprint or retinal or iris image.
In practical terms, that can mean using a password plus a fingerprint scan to log on to a laptop. It can mean using a smartcard plus PIN to access an ATM, or entering a password plus a one-time code (received on a smartphone, generated by local smartphone software, or created by a standalone security token from someone like RSA Security) to access corporate systems.
It’s not a new concept; it’s been used by highly secure organizations for years. But now it’s moving into the general business and consumer space, with services from Google, Facebook, PayPal and others providing two-factor authentication as an option.
The downside, of course, is that for many implementations you need to have your cell phone handy, because the PIN that’s your second factor is received via SMS (or sometimes voice). Lose the phone, and you’ve lost your access, unless you’ve chosen to only use the second factor on untrusted computers. And, of course, there’s the privacy implication, since you have to give the service your cell phone number so it can send you the PIN.
Even the seemingly undefeatable factor – something you e—can be beaten. If you’ve watched any heist movies (or MythBusters), you’ve seen how biometrics can be faked by a dedicated crook, even if sometimes the movies stretch the truth more than a bit. But fingerprints can be lifted from surfaces and recreated with a gel much like that used in Gummi Bears. At last year’s Black Hat security conference, researchers even demonstrated spoofed iris prints. And sometimes perfectly legitimate biometrics can be rejected by scanner systems.
However, that doesn’t mean we dismiss the tech. It has been well proven over the years. But we do have to carefully pick the appropriate product and know its imperfections. It will provide one more hurdle for the bad guys to scale, and one more layer in our multi-faceted security infrastructure.