Two-Factor Authentication: How Safe is Too Safe?

Two Factor Authentication is an extra security method that can be implemented to ensure specific online applications and services are fully protected.  With recent password hacks and well publicized security breaches happening to companies small and large it aims to protect your network from phishing attacks and stolen credentials. Two factor authentication can be used as a proposed solution, but how safe is too safe?

Two Factor Authentication

Two Factor Authentication (2FA) is an extra step to the log in process that confirms a user’s identity. The additional verification step  requires two (or multiple factors) to authenticate a log in attempt. With 2FA in place, you’ll need to know your credentials (username and password) as your first factor of authentication. In addition, you will need to authenticate a second factor– one of the following points listed below– in order to successfully access a service, application or network:

  • Something  You Know: A PIN number associated with the account you’re are trying to access. The PIN could be a fixed or expire.
  • Something You Have: An ATM card, key fob with an associated one-time password, security code, security certificate or authentication code delivered to your cell phone via an app or SMS.
  • Something You Are: Your fingerprint, voice or facial recognition, or iris scan (bio-metrics).

Deployment Process

Risk Analysis. Businesses need a reliable way to determine that users are who they say they are before they grant access to sensitive data. Certain HIPPA regulations or businesses that collect social insurance numbers or credit card information from its clients may be required to conform to industry regulations by using 2FA. More than a compliance requirements, 2FA can be your organization’s opportunity to reduce fraud. Users will need to have a understanding of its importance in order for it to valued as something more than a nuisance. While 2FA is indeed a great tool to implement to ensure identities, locking down resources with strong authentication measures may lead to users finding workarounds that further increase security risks.

Perform a risk analysis on your network, applications and services. There should be the proper balance of ensuring security is in place while not impeding on a users ability to access information to complete business critical tasks. If  the risk of data loss is low then it may not be necessary to implement.

Authentication Solutions. Evaluate the resources, hardware and software that would need to be secured. Some online services (like MailChimp and Twitter) can be authenticated for free via Google Authenticator. Networks and VPNs (virtual private networks) would need paid solutions like tokens or authentication key fobs.

Authentication tools vary and will need to be properly integrated with your existing IT infrastructure. There will likely be a complex deployment and maintenance phase that user support issues that will require assistance from your IT service provider.

Examine Alternatives. In theory, 2FA should make your account more secure. But be sure to have a plan in place to address the loss or damage of your authentication device. If your cell phone is used as the second form of authentication, what happens when the user upgrades to a new device?

For many businesses, unique complex passwords and password managers may be the most effective security measure they can enforce. These measures tend to be more user friendly and encourage safer behaviors across your business network.

Things to Consider

Two factor authentication can be used as a part of your security strategy, but remember third-party authentication tokens, are only as secure as the vendor issuing them. As is the nature of computer security, the more popular 2FA becomes, the higher of a target it becomes for attackers, as they typically seek high-value assets. Even well-known identity authentication vendors have been subjected to security hacks.

With proper implementation, two factor authentication will strengthen your security, and ensure identity . However, it’d be beneficial to have an escalation plan in place to support legitimate users whose access has been denied. Even Apple’s Touch ID has a fail-over plan in place for when your fingerprint isn’t recognized ( a prompt for your PIN occurs).  A thoroughly planned deployment  complete with user on-boarding and training session should limit the amount of times users are unable to access the company’s network.

Two factor authentication like many other security measures you can implement, will not fully protect against ransomware and phishing attempts. Security awareness training sessions are still highly recommended as the best way keep your staff aware of current security vulnerabilities and best practices.