Why is two-factor authentication not the best bet for your business? asks Amir Nooriala, Chief Commercial Officer at the authentication product company Callsign.
Every organisation is unique, which is why when it comes to digital authentication there is no “one size fits all”. Before deciding on which authentication solutions to use for your business, it is important to understand the strengths and weaknesses of the technologies you could implement across the organisation and then make an informed decision.
Two-factor authentication (2FA) is a good example of a process quickly adopted and held as good practice across industries. Its role is to add an additional layer of security to the authentication process, however there are vulnerabilities to this method. It was right for its time, but fraudsters have exposed its weaknesses and organisations need to move on from 2FA so they can get their control back.
2FA does not effectively secure identity. If bad actors can prove they have factors of a user’s account, such as knowledge (a user’s login details) or possession (by seizing control of a device with malware), then they can freely access the accounts and data of that user – and this is what happens when intelligence isn’t layered successfully.
Customers rightfully expect impeccable data responsibility, along with solutions that are fluid, intuitive, and inherently secure. And if an organisation can’t deliver on these expectations, customers will move on to one that does.
Put simply, 2FA is not the right authentication approach for organisations to build digital trust with consumers. Instead, they need to consider the importance of layering intelligence and creating solutions with multi-factor authentication, so consumers are effectively protected.
Possession
Possession is where things begin to break. Unfortunately, the 2FA method includes outdated possession factors because devices can be compromised, and tokens can be stolen with bad actors increasingly using software simulations to bypass conventional security or deliver malware directly to devices.
To prove possession in 2FA we have become heavily reliant on SMS one-time passwords (OTPs) to identify ourselves online, and as a result, we are seeing a rise in SIM swap fraud. Once a bad actor has a user’s personal information, they contact their mobile network provider posing as the user to divert the victim’s calls and SMS messages to their own phone, giving the fraudster an easy way to falsely identify themselves as genuine.
Another form of possession is device fingerprinting, where attributes of a device are combined – such as its operating system, the type of web browser being used, and its IP address – to uniquely identify it. Device fingerprinting can be seen as a more reliable possession factor because users are not likely to change operating systems or reset their IP addresses, meaning it provides organisations with a consistent authentication method.
However, while it is more reliable, organisations still need to consider that a single possession factor won’t stop fraudsters. These methods need to be layered, by using multi-factor authentication (MFA), to ensure solutions are robust and consumers are being given the protection they need and deserve.
Knowledge
Passwords and PINs are still the most common authenticators used by many organisations. But they’re easily compromised and can be obtained via social engineering.
It’s also no secret that most people re-use their passwords across multiple accounts. When log-in credentials become public knowledge through all-too-common data breaches, bad actors can harvest them and use bots to stuff them into every login screen they can find – with an alarming success rate.
But passwords and PINs can still play a role, as long as organisations are layering intelligence with other forms of authentication, because the more layers of security, the harder (and more expensive) it is for the fraudster to replicate. Whilst we at Callsign can offer traditional knowledge-based authenticators such as PIN and password, we always recommend layering these with inherence-based attributes such as keystroke dynamics to guarantee the appropriate level of protection.
How can we solve these problems?
Fraudsters have numerous ways of obtaining the information needed to bypass the 2FA authentication security process. Whether it’s purchasing from the dark web, using email phishing methods, or stalking users on social media to find hints from their personal life.
However, by considering the third vital authentication factor – inherence – organisations can make sure they are implementing MFA and layering intelligence to create secure solutions for consumers, all without adding (and often removing) friction from current processes. More advanced muscle memory inherence factors also ensure organisations are considering privacy by design principles, which is not about surveillance but rather capturing enough data to let genuine users access online services.
In order to prevent bad actors from accessing data, it is crucial for organisations to adopt technology that positively identifies the genuine user, a method that preserves privacy whilst providing unmatched security. This is achieved by analysing not what a user types, but the way they swipe, the way they type, and even how they hold their device/move a mouse.
And herein lies the solution – layering intelligence, such as inherence over knowledge and possession factors, and then combining them with threat intelligence and devices. This enables organisations to implement a secure and frictionless authentication experience for genuine users – and create a genuine headache for fraudsters.
