Two-Factor-Authentication (2FA) refers to another piece of information that users are required to provide (in addition to username and password login details) to access a website/platform/account. Requiring another piece of information protects against others accessing the account if they simply know the username and password.
The reasons for 2FA include:
– A huge increase in cybercrime and data breaches in recent years, and increasingly sophisticated attack methods that are more widely available, many of which can be bought off-the-shelf for relatively small amounts.
– Simply relying on passwords has become less safe. This is because passwords are frequently stolen or cracked (a computer recently set a record by guessing 100 billion passwords per second), and we can only successfully remember shorter, more uniform, or more memorable strings of characters, and consequently these often end up being partly words, names, dates, or a combination (i.e. easier passwords to crack). Many people also still choose really simple passwords. For example, in 2019, a study by the UK’s National Cyber Security Centre (NCSC) into breached passwords revealed that 123456 featured 23 million times, making it the most widely used password on breached accounts. The study also showed that the second-most popular string was 123456789 and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords. Christian names and the names of favourite football teams were found to be widely used as passwords. Also, password sharing (using the same password between many sites and platforms) is an all-too-common high-risk strategy. Add to this Moore’s law (the idea that computer-processing power available at a certain price doubles roughly every two years) and the fact that cybercriminals are becoming more sophisticated in their methods and can buy cyber-attack tools and lists relatively cheaply on the Dark Web, and the risks of weak passwords is even more clear.
– Legislation, compliance, reputation, and tightened security policies have meant that online sites and apps must offer tighter security (i.e. not just passwords).
Living With Passwords
Ways of making passwords more secure include basic specifications of what passwords must contain (how many and what characters), indications of password strength, and the use of password managers (as browser extensions).
2FA is usually based around something you know (e.g. a PIN or answer to a security question), something you have (e.g., a smartphone). Multi-factor can also be based on something you are/something that’s inherent (e.g. biometrics). Popular types of 2FA include:
– SMS. Having a code texted to a phone number that has been linked with the account.
– Security questions. Several answers to personal questions about the account holder are stored securely in the account and on login, the user is asked for the answer to one question.
– Hardware tokens. These are small physical devices (like a key fob) that generate a new numeric code every 30-seconds.
– Software tokens/ authenticator apps, such as Google Authenticator. These also generate a stream of new numeric codes that are valid for less than a minute, and the app is linked to an account by scanning a QR code.
– Push Notifications. Websites and apps send the user (to their device) a notification that an authentication attempt is taking place. The device owner can then view the details and approve or deny access. This can help prevent social engineering and/or human error-reliant attacks such as phishing, or man-in-the-middle.
– Biometrics. For example, this could be a fingerprint or face scan.
Although 2FA has gone a long way to making accounts more secure, the future is likely to be passwordless, based upon biometrics and, therefore, multi-factor e.g. fingerprint scans, face scans, iris scans, voice recognition and more. Biometrics is, however, in its relatively early stages of development thereby making it vulnerable to a degree, and this in itself has led to it being tricked/faked (e.g. voice recognition). Also, biometrics can’t be remotely revoked, and if a fingerprint, for example, is compromised, it can’t be replaced (as a password can).
What Does This Mean For Your Business?
Most businesses are no longer able to remain compliant with data laws or to act responsibly towards staff, customers, and stakeholders by trusting just passwords. 2FA has added a valuable, additional layer of security, with the drawback being that it still relies upon human action and decisions, thereby leaving a possible human error element. The addition of biometrics seems more difficult again to get around, but the increasing sophistication and wider availability of attack methods are always threats to all security systems.