- Security TWENTY
- Women in Security
Two-factor authentication (2FA) has been about for much longer than you think, writes Steve Watts, pictured, co-founder of SecurEnvoy. For a decade or more we have been used to being issued with a card reader (in essence a hardware token device) to use with our bank card and Personal Identification Number (PIN) when looking to complete our internet banking transactions. 2FA technology has also, over the past year or so, been employed by seven of the ten largest social networking sites (including Facebook, Twitter and LinkedIn) as their authentication measure of choice.
Because of this, the use of the technology has become widespread in the consumer realm, with consumers well versed in how to use 2FA and the importance of it to keep their private data safe from prying eyes. So why can’t the same be said about the largest businesses? Surely the time is right for businesses to look at the user’s authentication method of choice?
2FA can be thought of as the holy grail of authentication because it meets the magic trinity needs of all stakeholders within the business:
• It is familiar and easy to use for end users within the organisation.
• It is easy to deploy for time-sapped IT Managers (i.e. users can seamlessly move their identity between devices without need for administrator assistance).
• It helps the board remain compliant to increasingly stringent regulatory requirements to keep sensitive data secure.
The need for employees to be able to login to systems and business-critical applications remotely is increasing, due to the increasing propensity for staff to work remotely; whether that is from a home office, a hotel lobby or accompanied by a skinny decaf sugar-free vanilla syrup latte in one of the seemingly never-ending array of coffee shops. This has become something that has kept even the calmest CIO up at night as they try to balance the requirements of remote workers with the challenge of authenticating users all over the world on a multitude of devices. Passwords are intrinsically and fatally flawed, but 2FA can provide a simple solution to keep sensitive corporate information secure – regardless of where it is accessed.
Boardrooms must now take the technology seriously. Seemingly every week there is a widespread data breach hitting news headlines. In fact, recent research of some 692 security professionals from both global businesses and government agencies found that almost half (47 per cent) have suffered a material security breach in the past two years. Many of these could have been averted through the implementation of 2FA. The technology is all things to all people, meaning users can have the same user name and password for numerous business apps yet you won’t get into a TalkTalk type scenario as the second factor required for authentication is generally hashed, unknown and randomised for each login. With the Ponemon Institute now suggesting that the average cost of a data breach is an eye watering £2.47 million ($3.79 million) the cost to the business of a data breach could be increasingly catastrophic and shouldn’t be ignored.
Time for 2FA
Using 2FA can help lower the number of cases of identity theft on the Internet, as well as phishing via email, because the criminal would need more than just the user’s name and password details, and often something the user themselves doesn’t know if your extra authentication layer should be a one-time passcode. Central to the growing popularity of 2FA is the fact that the technology provides assurance to businesses that only authorised users are able to gain access to critical information (whether it be customer records, financial data or valuable intellectual property). This helps them maintain compliancy to a plethora of industry regulations such as PCI Data Security Standards, GCSx CoCo, HIPAA, or SOX.
Another core benefit of 2FA is that it is a key example of a technology that compliments the prevalence of BYOD (bring your own device) rather than conflicts against it, as staff can use their existing smartphones for authentication input. This convenience of integrating the “something you have” of 2FA with something employees are already used to carrying is a benefit to users, while also circumventing the need for capital expenditure costs for the organisation. Also, by using devices staff are already familiar with, 2FA reduces potential training time. In summary, businesses empower employees with an easy-to-use solution that provides a consistent experience, drastically reducing login time and human error. While 2FA empowers users, CIOs and IT decision makers also benefit from a flexible solution that can be hosted how, where and when they prefer. 2FA is built to suit any business, as it supports both on premise and cloud hosting and management, making it a strong contender for any CIO changing their security systems. By using existing infrastructure, on premise deployment is often convenient, swift and straightforward, while cloud services are appropriately supported by the 2FA provider. This gives decision makers full control and flexibility over the solution, which can be rolled out to departments and employees at their discretion.
The solution is in our pockets
We are constantly told that users are the weakest link in corporate security. Yet with 2FA becoming as ubiquitous as taking a selfie is for the modern masses, the information security technology being seen by many as the holy grail of authentication could be the one that is literally already at the users’ fingertips. And with the number of mobile phones now exceeding the number of people on the planet according to GSMA Intelligence the input mechanism is, quite literally, in all our pockets.