Two-factor authentication (2FA) has been an essential step for the security-minded business or customer who want to protect their accounts, adding an additional layer of protection atop the standard password. But recent events have proven that even the current standards for extra security can fall short.
With billions of stolen usernames and passwords being passed around on the dark web --including corporate accounts—it’s important to take action in advance of a threat to make sure accounts are as secure as possible.
Don’t Trust Text Messages
Many forms of two-factor authentication use SMS messages—standard texts—to send verification codes. Those codes, often only temporarily active, act as an extra step to confirm the identity of the person trying to login to the account. In order to log in, the person has to have access to the device that receives the message. Without that, they will be locked out of the account and the real account holder will be alerted to the attempt.
That measure of additional security is useful until those SMS messages become compromised—a threat that has grown increasingly prevalent, to the point that legislators in the United States have asked the Federal Communications Commission to examine flaws in telecommunications companies.
Earlier this year, the world got its first glimpse of what a vulnerability in messaging security protocols would look like. Hackers too advantage of an issue in Signaling System 7 (SS7)— and international telecommunications standard that defines how mobile devices connect and exchange number over mobile networks—to intercept text messages before they arrived on a user’s device.
The hackers intercepted text messages that contained the 2FA codes intended to be sent to a victim’s phone. They then used those codes to gain access to the person’s bank account to transfer funds from their account to accounts controlled by the hackers.
Similar attacks could occur, as the security flaws still stand. Michael Thelander, director of product management at authentication and fraud prevention company Iovation, told International Business Times that SMS authentication methods have weakened significantly.
"I wouldn't say [text based] 2FA is inherently bad,” he said. “It can be a factor, it just can't be the only one."
Multifactor Is The Way Of The Future
The best way to combat the shortcomings of SMS based 2FA isn’t to just move where that authentication code is received—some 2FA alternatives provide codes generated standalone apps, which would require compromising a device itself to access—but to change how login attempts are authenticated.
"The world that we're going into is going to require multiple factors,” Thelander said. “It's going to require layers of authentication that can be delivered at a point and time based on the level of risk of what a user is trying to do and the level of risk that is detected."
Thelander’s company Iovation offers a form of multifactor authentication (MFA) that does much more than just send an additional code to confirm a person’s identity. Its ClearKey method looks at a number of characteristics of a device to determine how likely it is a person would be trying to login to their account.
One of the ways that ClearKey does this is by looking at an account’s relation to other accounts that may be associated with the same device.
“As a device starts making connections to other accounts and has secondary relationships with other devices, we understand those kinds of one-hop and two-hop relationships," Thelander explained.
When that pattern of accounts and behavior reappears again, the authentication tools can identify the user because they begin creating a nearly identical presence as was recorded before, allowing the service to recognize a user even if they wiped their device.
Create Low And High Bars For Authentication
The other benefit of using MFA is the ability to create thresholds for what type of authentication is required. Thelander noted 2FA is generally a binary option, it is either on or off. That means a security code is generated and sent with every login attempt, which can be excessive and cumbersome.
With MFA, it’s possible for the automated authentication process to be performed, saving the user an additional step on a standard login. For example, if a person logs into their account from the same device every time—and that device shares all its typical identifying factors including being in the same general location—with no indication that it may have been compromised, the login may be performed without the need for secondary confirmation from the user.
When a login attempt includes an unfamiliar element—perhaps the user is traveling overseas or on a new Wi-Fi connection or behind a virtual private network (VPN)—then MFA can generate a second-step verification method that requires the user to confirm their identity.
"We can take this whole plethora of multifactor authentication options that we have and deliver the right one at the right time so you can get the right level of assurance for the risk," Thelander said.
Listen To Millennials
When implementing MFA options and deciding what to serve up to users as a means of verification, it’s best to lean on the youngest users, as they’re the ones most open to new authentication options.
A survey conducted by Iovation in partnership with global research and advisory firm Aite Group found that millennials are the most receptive audience to the possibility of ditching passwords for other, often more secure means of verification. Eight-five percent were comfortable with fingerprint checks and 76 percent were open to eye and facial recognition.
Users who are members of Generation X and the Baby Boomer generation are mostly open to biometrics and other forms of authentication as well, though are still somewhat wary. Seniors find biometrics—especially facial recognition—to be less appealing, as many dealt with passwords and PINs as the primary login method for much of their digital lives.
Don’t Ditch Passwords Completely
Passwords may be considered an unsecure and outdated means of authentication—especially with the near-daily occurrence of database breaches that reveal user account credentials—but they still have their place as a fallback option.
Thelander said that users should always have the option to login with more conventional methods in case their device goes missing or is stolen. "We authenticate through the mobile device, but if a user doesn't have that, there should still be a one-click access to enter a username and password," he said.
In Thelander’s ideal world, authentication credentials will exist on a device and will be encrypted rather than being hosted en masse on servers that can be compromised. In those cases, it will be important for a user to quickly deactivate a device to protect their accounts.
One of the benefits of using multifactor authentication is there are multiple ways to login, including the old standards. "Make sure the layered authentication strategy allows for a fallback, even the most rudimentary, common way,” Thelander said.