It's not often that the banking industry can be congratulated for its forward thinking, yet when it comes to two-factor authentication, it has done a great job of introducing the concept to the wider population. So much so that in today's world it would be considered backward to access an online banking portal without it.
Misunderstanding Becomes Poor Implementation
Outside of commercial usage, two-factor authentication is a well-known concept in security circles, even earning itself a zombie chant like mantra, "something you know, something you own". Incorrectly, it is often dismissed as a simple small-time project in comparison to other security solutions deployments. Commoditisation has been unkind, leading it to be widely misunderstood and therefore poorly implemented as a result.
However, two-factor authentication is just that, a stage of authentication. The input driven boundary between those who are authorised and those who are not and therefore affords the thought and respect of any other solution used to protect access. Think of it in more relatable terms, if you were to decide the defense strategy of the most valuable thing in your life, would you not want to pick the best guards? alarms? or infra-red laser guns?
What to Avoid
There are a large number of two-factor authentication solution vendors worldwide, some offering free bolt-on services such as Google Authenticator, some with more features, integration possibilities and product development dedication such as SecurEnvoy. Choice is good but choice can also be overwhelming and time consuming, a phrase which will send a shiver down the spine of most time-strapped IT professionals.
To help on your journey to assessing two-factor authentication solutions, whether they be paart of new projects or old, we have put together five two-factor authentication pitfalls to avoid.
- One and a Half Factor Authentication - Self-contained two-factor authentication in the browser rarely makes it past the auditors without crosses in boxes. It is indeed something owned and something known but it breaks the spirit of two-factor authentication which is to make authentication stronger and therefore is often labelled one and a half factor authentication. It's akin to locking a door but hanging the key on a hook next to it. Indeed, the door is secured by the lock, but its purpose in securing what is behind the door has become paradoxical.
- The Hardware Token - There is likely to be many who disagree, but consider the elimination of the following headaches that hardware tokens create. Broken or damaged tokens, lost tokens, tokens not returned after employment as ceased, the users general disregard for property which is not theirs and of course the higher running cost. If that list was not bad enough, speak to any administrator who has had out-of-sync tokens and their experiences with the laughable space-era looking coupler to understand the true pain of hardware tokens.
- The Turing Method - The Turing method at first sight is intriguing, it works by providing users with fixed six digit PINs and ever-changing token values on a variety of different devices. The user then derives the passcode from the token value which corresponds to their PIN sequence. For example with a PIN of 2519, the second, fifth, first and ninth digits from the token value produces a complete passcode. It sounds interesting enough to be mystifyingly more secure, yet AI/bot screen readers can begin to reverse engineer PINs by noting which digits from token values are being picked. Once the PIN is known, the next passcode can be easily calculated, making it less secure as a result.
- Copy-Cat Software Tokens - Surely all tokens are single-instance so that only the intended owner can be guaranteed possession right? well not quite. Particularly in the case of software based smartphone tokens. When provisioning smartphone tokens a seed file must be sent to the device for it to calculate a passcode, in most cases this is done by scanning an encoded seed file in the form of a QR code using the smartphones camera. Good two-factor authentication solutions will only permit this action once by forcing a hardware ID to be returned. This identifies and validates that only that device has the seed. Unfortunately, not all solutions feature this small and yet effective technique, which means a screenshot of that QR code can potentially be scanned by multiple smartphones creating cloned tokens untraceable by administrators.
- Complex Architecture - Two-factor authentication need not be complicated to implement and should where possible not make administrators and IT support team's lives more difficult. For example, some solutions choose to store user an application data in Active Directory by way of extending the native schema and creating additional LDAP attributes. Extending Active Directory's native schema is an option no IT team will take lightly, as it not only places the directory into an unknown state but it can also increase the risk of other services, reliant on a standard schema, suffering incompatibility issues. Equally it is an absurd requirement considering there are more than 100 LDAP attributes in the native schema, of which only around 25 are ever likely to be used at any time.
Smart Choices Continue to Reap Rewards
It is important to bear in mind that the two-factor authentication evolutionary tree is wide and varied. Consequentially not all two-factor authentication solutions are created equal. Some readers may disagree with the points raised in this article and some may consider risk to be lower and acceptable because of other mitigating factors. In all cases the advantages and disadvantages must be measured against business need, but never discount two-factor authentication as a minor decision or project. It could be the last line of defense against a guessed or weak password and access to your internal network or assets.