Everyone has gone to the ATM to grab some cash. Swipe your card – enter your PIN and out comes your cash. We have been doing this for years. Using the ATM is one of the most established uses of the IT security best practice of two-factor authentication (2FA). Lets break that down.
- You present your ATM card to the machine (something you have),
- Next, you enter a secret PIN (something you know).
- Without both of these things (authentication factors), you don’t get your cash.
Two-factor authentication (2FA) provides an extra layer of protection for system access, by asking a user for a second means of identification. 2FA also called multi-factor authentication (MFA), requires at least two authentication factors, including:
A knowledge factor (something only the user knows, such as an ATM PIN);- A possession factor (something only the user has, such as an ATM card);
- An inheritance factor (something the user is a fingerprint or retina pattern).
The most popular forms of 2FA include answers to secret questions, a code sent to your phone, or one-time password-generating tokens.
2FA is a way to mitigate risks associated with unauthorized access, especially in the current COVID-19 era of increased work from home (WFA). And yet, despite these benefits. Computer Economics has posted a report, Two-Factor Authentication Adoption, and Best Practices, which studied the adoption and practice of 2FA. The report says that firms are not using 2FA to the extent they should be to ensure organizational security:
- 18% do not use 2FA;
- 25% are implementing 2FA for the first time;
- 34% practice 2FA formally and consistently.
Why is 2FA needed? Because as followers of the Bach Seat know, username and password pairs as authentication factors suck. CE writes that passwords can be “phished,” stolen, discovered, and cracked in many ways. Humans are as bad at making good passwords and changing them regularly as they are at eating their daily requirement of vegetables.
In the presser Tom Dunlap, director of research for Computer Economics, said,
The big picture is that 2FA is inconvenient, and users just want access … Users often rebel against it because the extra layer is seen as onerous or unnecessary. However … companies face a wide array of security and privacy threats and 2FA can go a long way to protecting a company
Inconvenience isn’t the only issue. As I have chronicled on the Bach Seat each form of two-factor authentication has its own weaknesses. For instance, security questions can often be easily guessed. tokens can be lost and SMS can be hacked.
rb-
Another issue with 2FA is that it is unevenly implemented and there’s no central place to check if a firm has enabled it on its public-facing site. However, a website, Two Factor Auth (2FA) is trying to fill that void. Two Factor Auth (2FA) is a list of websites and whether or not they support 2FA.
Most of the well-known and commonly used sites and services are listed. The site explains what types of 2FA the firm supports. There’s even a Twitter or Facebook link where you can poke them on social media to start using 2FA – if they don’t support 2FA.
Only 1/3 of firms love two-factor authentication to use it well, despite the security benefits it provides to the firm and their customers.
Related article
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.