search

The best and most effective way to manage authentication is through

1 years ago
Comments: 0
Views: 70

Two-factor authentication (2FA) is defined as a security system in which the user, trying to access a system or application, is required to verify in two distinct ways instead of just a password. This article explains two-factor authentication in detail and lists its benefits, process, and best practices in 2021.

Show

Table of Contents

Two-factor authentication (2FA) is a security system in which the user trying to access a system or application is required to verify in two distinct ways instead of just a password.

Today, a typical enterprise runs with multiple assets: software-as-a-service (SaaS) solutions and third-party applications. This involves services that are as mundane as email to sensitive operations such as accessing customer data. For each of these, employees are granted user credentials, and to make sure that these credentials do not cause a security hole, employees need to practice good password hygiene. 

Good password hygiene involves changing passwords at regular intervals, making them as complex as possible (combination of alphabets, numbers, and symbols), and not repeating passwords across applications. However, all this leaves a lot of room for human error. Misplaced passwords and simple crackable passwords (e.g., 12345) are the weakest links in enterprise security, and hackers are well aware of this. If brute force does not work, they try phishing and other social engineering attacks to gain access to user credentials. 

According to Verizon’s 2020 Data Breach report, 80% of data breaches involve using brute force or stolen/lost credentials. An organization’s security posture clearly hinges on how well-guarded its various resources, applications, and services are. Despite multiple levels of infrastructure security, the level of security boils down to how well-crafted the passwords actually are. 

All of this points to the fact that an organization cannot just rely on traditional passwords. This is where two-factor authentication comes into the picture. Simply put, 2FA involves two steps that are required for authentication. The first step is usually a traditional password, while the second step can be any form of authentication that usually relies on something the user has, such as one-time passwords (OTPs), key fobs that generate tokens, fingerprint scanners, or just push notifications sent to mobile devices. This extra step ensures that even if hackers gain access to the password, they would still require some other information that the user personally possesses to break through.

Two-factor authentication is a subset of multi-factor authentication (MFA). While 2FA stops at just two steps of verification, MFA usually requires more than two steps. Multi-factor authentication is usually deployed at entry points to mission-critical resources. For example, a banking app may require users to enter a password as a first step, enter a time-bound one time password for the second step of verification, and scan the fingerprint as a third for extra security. 2FA is, however, the most common form of MFA, especially when it comes to customer-facing services. 

Types of 2FA implementation

1. Employee-facing 2FA

This is 2FA at an internal, corporate level and is typically applied to email, VPN, remote access, and third-party services such as file sharing apps, cloud repositories, etc. Companies must ensure that this implementation is uniform throughout all levels of the organization.

2. Customer-facing 2FA

This is a layered authentication process that consumers of an organization’s products, applications, or services must go through for extra security. We typically come across customer-facing 2FA with banking solutions. This is usually implemented to honor SLAs and maintain regulatory compliance.

Two-factor authentication isn’t just a matter of security. Depending on the industry that the organization functions in, it may be a regulatory mandate as well. Some industries that commonly employ 2FA are healthcare (which has stringent HIPAA regulations to deal with), ecommerce, social media, and education (considering that the COVID-19 pandemic has pushed most education online across the world).

2FA example

An example of two-factor authentication in social media can be found on Instagram, which typically asks for just a password to sign in. However, it also allows users the option of adding a second authentication step using a security code sent either as a text message or through an authenticator app. This would be a wise option to consider, especially for influencers whose brand largely depends on their Instagram feed.

The best and most effective way to manage authentication is through

A Screenshot of Instagram’s 2FA Page

See More: What Is Multi-Factor Authentication? Definition, Key Components, and Best Practices

Key Benefits of Two-Factor Authentication

The key benefits of a two-factor authentication system are many. These include: 

The best and most effective way to manage authentication is through

Two-Factor Authentication Benefits

1. Shrinks the attack surface by reducing human error

A business is as weak as the weakest password, and maintaining dozens of passwords with proper hygiene mandates is pretty difficult. It is no surprise that cyberattacks predominantly target access points into the system that require just passwords. 2FA is a big step toward increasing security. It is highly improbable for hackers to crack every step of the authentication process to gain access.

2. First step toward a zero-trust security model

A zero-trust security model is a security concept that assumes that every device, application, user, and network—whether internal or external—is not trustworthy and needs extra security measures in place. This isn’t a surprising move, considering that cybercrime is predicted to cost the world $10.5 trillion annually by 2025. The first step toward a perimeter-less security strategy is to guard all access points with extra security.

3. Allows enterprises to embrace BYOD policies

The COVID-19 pandemic has led to an unexpected uptick in the number of remote users. Companies that weren’t even considering BYOD policies in the past have now been forced to face external networks and devices accessing their systems. A two-factor authentication system forces companies to face all BYOD scenarios and deploy appropriate authentication measures.

4. Helps comply with industry regulations

Regulations such as the Federal Financial Institutions Examination Council (FFIEC) directive call for multi-factor-based authentication for internet banking transactions. When such mandates regulate the industry, the easiest way to comply is to implement a two-factor authentication process.

5. Leverages hardware advancements in everyday life

Computing has advanced in leaps and bounds over the years. The general public now holds very powerful hardware and computing capabilities in their hands. In fact, advancements reach people every few months. It only makes sense to leverage this power to advance authentication mechanisms, thus securing personal data.

There is no doubt that two-factor authentication benefits businesses of all sizes. The next section covers what the 2FA process entails and what it will take for businesses to implement it successfully.

See More: What Is Password Management? Definition, Components and Best Practices

Two-Factor Authentication Process Explained

Two-factor authentication, just like all multi-factor authentication processes, runs on the principle of ‘factors’. When we say that the user goes through two steps of authentication, we actually mean that two factors are used with the user. The most effective 2FA implementations use a combination of different factors.

    1. Knowledge factor (what the user knows): This is a password, a security question, or a pin number that, ideally, only the user knows. This is usually the first level of authentication and is the most widely used. 
    2. Possession factor (what the user has): This is authentication based on something that the user has, such as a mobile phone, a sim card, a smart card, or a key fob. Even if a hacker gains access to the password, they need to gain access to one of these possessions as well to successfully penetrate the system. 
    3. Inherence factor (what the user is): This is authentication based on unique biological traits such as a fingerprint, iris of the eye, and facial features. This typically requires a reader hardware, a database, and a software to process the authentication. 
    4. Location factor (where the user is): This is based on the location from where the user’s request to access has come in. It uses the IP address of the request and the user’s geolocation if available.
    5. Time factor (when the user is): This is based on the time of the user’s access request. For example, if an employee’s work hours are between 9 am to 5 pm and they haven’t been granted access to log in after that, the request is denied.

The factors to be used by each organization are based on multiple things: Is it customer-facing or employee-facing? What devices and applications are accessible to the users trying to gain access? At what points in the application or system is two-factor authentication implemented?

Levels of 2FA

    1. Device level: This is when 2FA is implemented where the user logs into the device itself or the system. For example, asking for a password and code from a hardware token to log into a computer.
    2. Application level: This is when 2FA is implemented at an application level. For example, using a password and fingerprint to log into a payment app.
    3. Functional level: This is when 2FA is implemented just before a specific action that a user can perform within the app. For example, sending an OTP to the user’s mobile when a logged-in user tries to change their mobile banking password.

Components of 2FA

Let’s understand the seven components of 2FA in detail.

1. Tokens

Tokens are unique identifiers given to users for authentication. There are different types of authentication tokens. Security tokens are those generated by hardware such as USB-enabled devices and key fobs. Soft tokens are those generated on the same device.

Mobile phones are the most common vehicles to intercept tokens. The most basic 2FA ability supported by applications and services involves tokens sent to the user via a text message or a voice call. 

2. Push notifications

This involves pushing a notification to the user’s device detailing the access request and other details such as location, the device from which the request originated, and the IP address. This doesn’t involve any actual code or token as such. All that the user needs to do is accept the request through an authenticator app. This eliminates man-in-the-middle attacks where hackers try to intercept text and voice messages.

3. Biometrics

These tokens aren’t codes but fingerprints, facial maps, and retina patterns. It is an inherence factor of authentication and requires the appropriate hardware to work.

4. Time-based one-time password (TOTP)

Time-based OTPs are generated on the device that the user is trying to log in with. It usually takes the form of a QR code. Scanning this code with a mobile phone produces a code that is valid only for a specific amount of time. The user can then enter it on the website or application that needs to be accessed.

5. U2F tokens

Universal 2nd factor (U2F) tokens are a take on hardware tokens. The hardware is mounted onto the device that is being accessed via a USB. A new token is generated with the press of a tiny ‘generate’ button. The generated token is then used to gain access.

6. WebAuthn

Web authentication API (or WebAuthn) allows third-party applications to use the in-built capabilities of laptops, browsers, and other devices. It uses public-key-based cryptography. This is one of the most secure forms of authentication, though the process is very closely tied to the specific devices for which it is built.

7. Authenticator

The authenticator is the hardware or software that recognizes and authenticates users by the tokens entered. Within an organization, this is a uniform system that accepts or denies the access request and creates user sessions. It usually works in sync with other systems such as identity and access management (IAM) solutions. These are usually deployed as software, hardware, or a combination of both. Organizations can also opt for third-party services to do the same.

A key piece of this process is how the authenticator is linked to the organization’s authentication data. The organization’s authentication data consists of stored encrypted passwords, OTPs, facial patterns, etc. Whether an internal system or a third-party solution, this communication must be done with security and compliance in mind.

Setting up two-factor authentication

While coming up with an authentication process, organizations need to identify all access points across the system. Once these points are identified, stakeholders must decide which of these points require 2FA for increased security. A centralized management console (usually part of the IAM) is used to configure the factors that are required at each of these points. These usually tie in with access policies. 

Adaptive authentication, or context-based authentication, is using conditional authentication policies to grant user access. These policies are triggered based on how, when, and from where the login request comes in. Within the same system, application A may be configured to use a traditional password and text-based OTP, while a more critical application B may be configured to include adaptive time- and location-based authentication as one of its factors.

New forms of tokens and authenticators are constantly coming up. A good 2FA setup requires a fine balance between security, usability, and scalability. 

See More: How to Secure Online Identities With Passwordless Authentication

Top 10 Best Practices for Implementing and Managing Two-Factor Authentication in 2021

Keeping in mind the various nuances that are required to implement and manage two-factor authentication, here are the best practices that organizations need to follow for the best results.

The best and most effective way to manage authentication is through

Two-Factor Authentication Best Practices 

1. Create a comprehensive list of access points

The first step toward building a two-factor authentication system is to go through every asset, application, and service used across the networks in the organization. This task may prove to be more difficult than it sounds since everyday apps such as email and in-house communicators like Slack also need to be considered. 

Once everything from email to database access has been listed, shortlist only those that are vulnerable enough to be attacked by hackers. Enabling 2FA for every access point across the system may prove to be overkill. 

2. Choose authentication factors based on organizational requirements

All access points do not require the same authentication strategies. Two-factor authentication solutions are rarely a one-size-fits-all system. As such, picking off-the-rack solutions and stacking them into the infrastructure is not a good idea. Organizations must consider what hardware and software they use and how they can leverage this to create an optimal 2FA implementation process. For example, if all employees possess devices with fingerprint scanners, that can be one of the authentication factors implemented.

3. Consider industry mandates

Industries such as healthcare are subject to stringent mandates such as HIPAA, which even dictate how data must be stored for privacy purposes. In cases like this, the right tokens must be considered. Push notification, biometric, and WebAuthn tokens are the most secure factors as of today. To avoid the hefty fines that follow a data breach, investing in these tokens makes perfect sense.

4. Factor in implementation, management, and scaling costs

As with any security-related activity, costs must be estimated before implementation. OTP-based tokens are the most inexpensive to implement. But will the system scale with the company’s vision for further innovation? This question must be answered, with provisions to add extra authentication factors as and when required.

5. Create the optimal trade-off between usability and security

While it is tempting to add 2FA checkpoints at every possible access point, it makes for poor planning. When it is customer-facing, too many authentication steps may cause users to drop off from the application. When it is employee-facing, constant authentication requirements will only affect productivity. Two-factor authentication must only be implemented at crucial points. If required, combining 2FA with other practices such as SSO makes for good security. 

6. Have account recovery options in place

Most authentication factors are fleeting in nature—they are time- or context-based. Users can easily misplace hardware-based tokens. The same goes with phones—they can break or get lost very easily. In case a user is no longer able to access an authentication channel, measures must be in place for them to log in anyway. This doesn’t mean that the user can just fall back to the traditional password alone. Admins must be able to change the authentication channel on request or provide something akin to ‘forgot password’.

7. Ensure compatibility when it comes to third-party solutions

Third-party solutions may boast of the latest in two-factor authentication–biometrics and the works. But will they be compatible with the existing infrastructure of the organization? Will the solution grow with the organization, or at the very least, work alongside other security solutions? Stakeholders need to look into their existing IAM and PAM solutions before making a decision.

8. Provide multiple authentication options for users

It is always best to assume that the same set of tokens will not be accessible to the user at every given point in time. For example, while trying to verify a new YouTube account during its creation, the user is given three options: a time-based OTP sent to the email, an SMS sent to the mobile or a phone call to the mobile. The user can thereby select one of these options based on the accessibility to each one.

9. Regularly evaluate and update the authentication plan

Enterprises grow every day. Most infrastructure is no more on-premises. Dynamic cloud-based solutions and services render the infrastructure a living, growing thing. New access points are added every day. User roles keep changing as well. New hardware capabilities arise every day, with complex systems reaching the hands of everyday users. With all this in mind, it is best to reevaluate the two-factor authentication strategy at scheduled intervals. 

10. Consider scalability and availability for voice- and text-based tokens

When using voice- and text-based tokens, businesses need to support multiple carriers to ensure high availability. Dynamic routing options ensure that all token requests are handled immediately and accurately. The system must scale to large volumes of requests. Users expect an immediate response to token requests and authentication, barring which users and employees will find themselves locked out of the system.

See More: What Is Password Management? Definition, Components and Best Practices

Takeaway

According to the 2020 World Economic Forum, four out of five data breaches are caused by weak or stolen passwords. With COVID-19 thrusting more organizational operations online, attack surfaces have increased in parallel. Because of this, Forrester reports that 76% of decision-makers in enterprises want to move to a zero-trust security framework. The two-factor authentication model is a no-brainer in this climate.

How important do you think two-factor authentication is? Tell us on LinkedIn, Twitter, or Facebook. We would love to hear from you!

MORE ON AUTHENTICATION

Reviews Best

Related Posts

Derive relation between osmotic pressure and lowering of vapour pressure of an ideal solution
Derive relation between osmotic pressure and lowering of vapour pressure of an ideal solution

Which of the following accurately describes the relationship between pressure and volume of an ideal gas?
Which of the following accurately describes the relationship between pressure and volume of an ideal gas?

What best describes the pattern of genetic transmission known as autosomal recessive inheritance?
What best describes the pattern of genetic transmission known as autosomal recessive inheritance?

The Ideal Lover Art of Seduction
The Ideal Lover Art of Seduction

Which of the following best predicts how the amino acid deletion which was caused by the mutation in the DNA will affect the structure of the CFTR protein?
Which of the following best predicts how the amino acid deletion which was caused by the mutation in the DNA will affect the structure of the CFTR protein?

How did the New Deal help the Great Depression?
How did the New Deal help the Great Depression?

What happens to the total kinetic energy of two molecules of ideal gas when they collide with each other?
What happens to the total kinetic energy of two molecules of ideal gas when they collide with each other?

Which best describes the relationship between the developments of steam power and the railroad
Which best describes the relationship between the developments of steam power and the railroad

Best birth control for irregular periods
Best birth control for irregular periods

Which of the following would best characterize traditional, individualistic political culture?
Which of the following would best characterize traditional, individualistic political culture?

What brand of castor oil is best for hair?
What brand of castor oil is best for hair?

What are control charts based on?
What are control charts based on?

Vscode No server install found in WSL, needs x64
Vscode No server install found in WSL, needs x64

How do you get to Motion settings on iPhone?
How do you get to Motion settings on iPhone?

How long is a furlong in horse?
How long is a furlong in horse?

Replace the underlined word with the correct form
Replace the underlined word with the correct form

How many spinach plants per person
How many spinach plants per person

Bread clip in wallet when traveling
Bread clip in wallet when traveling

What aisle is heavy cream on?
What aisle is heavy cream on?

How do you play Roblox on a Chromebook without downloading it
How do you play Roblox on a Chromebook without downloading it

Advertising

LATEST NEWS

How fast does hair grow per day
1 years ago . by TranquilBabbling
Which of the following allows different operating systems to coexist on the same physical computer?
1 years ago . by UnmarkedDuchess
What is being defined as the degree to which something is related or useful to what is happening or being talked about?
1 years ago . by ComingCarcass
Which of the following is NOT a pathway in the oxidation of glucose
1 years ago . by ScarredAccreditation
Juan is the person employees go to when knowledge of a topic was needed. juan holds ________ power.
1 years ago . by AmbitiousExamination
Which of the following is not a standard mounting dimension for an electric motor? select one:
1 years ago . by MiserableSweepstakes
Which set of characteristics will produce the smallest value for the estimated standard error?
1 years ago . by GenerousIntercourse
Is a program that assesses and reports information about various computer resources and devices.
1 years ago . by SeriousBondage
How much energy is needed to move one electron through a potential difference of 1.0 102 volts
1 years ago . by CrackedKnocking
Includes procedures and techniques that are designed to protect a computer from intentional theft
1 years ago . by UneasyInvasion

Advertising

Populer

Advertising

About

Legal

Help

Social

Copyright © 2024 SignalDuo Inc.