{"id":115249,"date":"2020-08-30T15:23:50","date_gmt":"2020-08-30T19:23:50","guid":{"rendered":"http:\/\/rbach.net\/?p=115249"},"modified":"2024-04-12T13:34:28","modified_gmt":"2024-04-12T17:34:28","slug":"no-love-for-2fa","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/no-love-for-2fa\/","title":{"rendered":"No Love for 2FA"},"content":{"rendered":"\r\n<p><a href=\"https:\/\/pixelprivacy.com\/resources\/two-factor-authentication\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-115277\" title=\"No Love for 2FA\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Two-Factor-Authentication.png?resize=100%2C86&#038;ssl=1\" alt=\"No Love for 2FA\" width=\"100\" height=\"86\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Two-Factor-Authentication.png?resize=150%2C129&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Two-Factor-Authentication.png?resize=75%2C65&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Two-Factor-Authentication.png?w=511&amp;ssl=1 511w\" sizes=\"auto, (max-width: 100px) 100vw, 100px\" \/><\/a>Everyone has gone to the ATM to grab some cash. Swipe your card &#8211; enter your PIN and out comes your cash. We have been doing this for years. Using the ATM is one of the most established uses of the <strong>IT security <a href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63b.html\" target=\"_blank\" rel=\"noopener noreferrer\">best practice<\/a> of two-factor authentication (2FA)<\/strong>. Lets break that down.<\/p>\r\n<ol>\r\n<li>You present your ATM card to the machine (something you have),<\/li>\r\n<li>Next, you enter a secret PIN (something you know).<\/li>\r\n<li>Without both of these things (authentication factors), you don&#8217;t get your cash.<\/li>\r\n<\/ol>\r\n<p>Two-factor authentication (<strong>2FA<\/strong>) provides an <strong>extra layer of protection<\/strong> for system access, by asking a user for a second means of identification. 2FA also called multi-factor authentication (MFA), requires <strong>at least two authentication factors<\/strong>, including:<\/p>\r\n<ul>\r\n<li><a href=\"https:\/\/www.mobileaction.co\/blog\/app-business\/i-have-an-idea-for-an-app\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-115282\" title=\"authentication factors\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/something_you_know-e1598750366572-150x133.jpg?resize=110%2C97&#038;ssl=1\" alt=\"authentication factors\" width=\"110\" height=\"97\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/something_you_know-e1598750366572.jpg?resize=150%2C133&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/something_you_know-e1598750366572.jpg?resize=75%2C66&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/something_you_know-e1598750366572.jpg?w=312&amp;ssl=1 312w\" sizes=\"auto, (max-width: 110px) 100vw, 110px\" \/><\/a>A knowledge factor (something only the user <strong>knows<\/strong>, such as an ATM PIN);<\/li>\r\n<li>A possession factor (something only the user <strong>has<\/strong>, such as an ATM card);<\/li>\r\n<li>An inheritance factor (something the <strong>user is<\/strong> a fingerprint or retina pattern).<\/li>\r\n<\/ul>\r\n<p>The <strong>most popular<\/strong> forms of 2FA include answers to <strong>secret questions<\/strong>, a <strong>code sen<\/strong>t to your phone, or one-time password-generating<strong> tokens<\/strong>.<\/p>\r\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-115267\" title=\"Two-factor authentication\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2fa-1.png?resize=111%2C64&#038;ssl=1\" alt=\"Two-factor authentication\" width=\"111\" height=\"64\" \/>2FA is a way to mitigate risks associated with <strong>unauthorized access<\/strong>, especially in the current COVID-19 era of<a href=\"https:\/\/www.cnbc.com\/2020\/05\/11\/work-from-home-is-here-to-stay-after-coronavirus.html\" target=\"_blank\" rel=\"noopener noreferrer\"> increased<\/a> <strong>work from home<\/strong> (<a href=\"https:\/\/rbach.net\/?s=wfh\" target=\"_blank\" rel=\"noopener noreferrer\">WFA<\/a>). And yet, despite these benefits. <em><a href=\"https:\/\/web.archive.org\/web\/20221208123525\/http:\/\/www.computereconomics.com\/index.cfm?\" target=\"_blank\" rel=\"noopener noreferrer\">Computer Economics<\/a><\/em> has posted a report, <a href=\"https:\/\/web.archive.org\/web\/20221007192918\/https:\/\/www.computereconomics.com\/article.cfm?id=2782\" target=\"_blank\" rel=\"noopener noreferrer\"><i>Two-Factor Authentication Adoption, and Best Practices<\/i><\/a>, which studied the adoption and practice of 2FA. The report says that<strong> firms are not using 2FA<\/strong> to the extent they should be to ensure organizational security:<\/p>\r\n<ul>\r\n<li>18% do not use 2FA;<\/li>\r\n<li>25% are implementing 2FA for the first time;<\/li>\r\n<li>34% practice 2FA formally and consistently.<a href=\"https:\/\/web.archive.org\/web\/20221007192918\/https:\/\/www.computereconomics.com\/article.cfm?id=2782\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-115255\" title=\"Two-Factor Authentication - Adoption Stages: \" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2HA_CE-e1598715927450-150x99.gif?resize=275%2C181&#038;ssl=1\" alt=\"\" width=\"275\" height=\"181\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2HA_CE-e1598715927450.gif?resize=150%2C99&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2HA_CE-e1598715927450.gif?resize=75%2C49&amp;ssl=1 75w\" sizes=\"auto, (max-width: 275px) 100vw, 275px\" \/><\/a><\/li>\r\n<\/ul>\r\n<p>Why is 2FA needed? Because as followers of the Bach Seat know, username and password pairs as authentication factors<a href=\"https:\/\/rbach.net\/?s=passwords\" target=\"_blank\" rel=\"noopener noreferrer\"> suck<\/a>. <em>CE<\/em> writes that passwords can be \u201cphished,\u201d stolen, discovered, and cracked in many ways. Humans are as bad at making good passwords and changing them regularly as they are at eating their daily requirement of vegetables.<\/p>\r\n<p>In the presser Tom Dunlap, director of research for Computer Economics, said,<a href=\"https:\/\/www.business2community.com\/tech-gadgets\/how-to-keep-your-customers-protected-from-password-risk-best-practices-0561527\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-115272\" title=\"2FA can go a long way to protecting a company\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/data_protection-3-e1598745835549.jpg?resize=110%2C82&#038;ssl=1\" alt=\"2FA can go a long way to protecting a company\" width=\"110\" height=\"82\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/data_protection-3-e1598745835549.jpg?w=141&amp;ssl=1 141w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/data_protection-3-e1598745835549.jpg?resize=75%2C56&amp;ssl=1 75w\" sizes=\"auto, (max-width: 110px) 100vw, 110px\" \/><\/a><\/p>\r\n<p style=\"text-align: justify; padding-left: 30px;\"><em>The big picture is that 2FA is inconvenient, and users just want access &#8230; Users often rebel against it because the extra layer is seen as onerous or unnecessary.\u00a0 However &#8230; companies face a wide array of security and privacy threats and 2FA can go a long way to protecting a company<\/em><\/p>\r\n<p>Inconvenience isn\u2019t the only issue. As I have chronicled on the <a href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a> each form of two-factor authentication has its own weaknesses. For instance, security questions can often be easily guessed. tokens can be lost and SMS can be <a href=\"https:\/\/wp.me\/p2wgaW-l8r\" target=\"_blank\" rel=\"noopener\">hacked<\/a>.<\/p>\r\n<p><em><strong>rb-<\/strong><\/em><\/p>\r\n<p><em>Another issue with 2FA is that it is unevenly implemented and there&#8217;s no central place to check if a firm has enabled it on its public-facing site. However, a website, <a href=\"https:\/\/twofactorauth.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">Two Factor Auth (2FA)<\/a> is trying to fill that void. Two Factor Auth (2FA) is a list of websites and whether or not they support 2FA.<\/em><\/p>\r\n<p><em>Most of the well-known and commonly used sites and services are listed. The site explains what types of 2FA the firm supports. There&#8217;s even a Twitter or Facebook link where you can poke them on social media to start using 2FA &#8211; if they don&#8217;t support 2FA.<br \/><\/em><\/p>\r\n<p><em>Only 1\/3 of firms love two-factor authentication to use it well, despite the security benefits it provides to the firm and their customers.<\/em><\/p>\r\n<p style=\"text-align: center;\"><em><strong><a href=\"https:\/\/covid.cdc.gov\/covid-data-tracker\/?utm_source=morning_brew#cases_casesper100klast7days\" target=\"_blank\" rel=\"noopener noreferrer\">Stay safe out there!<\/a><\/strong><\/em><\/p>\r\n<p><strong>Related article<\/strong><\/p>\r\n<ul>\r\n<li><a title=\"The War of Passwords: Compliance vs NIST\" href=\"https:\/\/www.tripwire.com\/state-of-security\/security-data-protection\/war-passwords-compliance-nist\/\" target=\"_blank\" rel=\"noopener noreferrer\"> The War of Passwords: Compliance vs NIST<\/a>\u00a0(<a title=\"The State of Security\" href=\"https:\/\/www.tripwire.com\/state-of-security\/\" target=\"_blank\" rel=\"noopener noreferrer\"> The State of Security<\/a>)<\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on <a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\r\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Only one third of firms use two-factor authentication 2FA despite the security benefits it provides to the firm and their customers.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[3397,2682,3495,3496,3419,2647,2213,949,4,3431,3430],"class_list":["post-115249","post","type-post","status-publish","format-standard","hentry","category-security","tag-3397","tag-2fa","tag-800-63b","tag-computer-economics","tag-covid-19","tag-mfa","tag-multi-factor-authentication","tag-nist","tag-security","tag-wfh","tag-work-from-home"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/115249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=115249"}],"version-history":[{"count":34,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/115249\/revisions"}],"predecessor-version":[{"id":130816,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/115249\/revisions\/130816"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=115249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=115249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=115249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}