Hackers are relentlessly trying to crack your systems and steal your data. And the penalties for losing customer data recently rose with the introduction of the general data protection regulation (GDPR). Companies can now be fined enormous sums for not taking adequate care of sensitive data.
With this in mind, what is the most secure authentication method?
2FA or MFA?
Two-factor authentication typically involves supplementing a traditional password with a second authentication factor. When people refer to multi-factor authentication they usually mean using three factors – although technically 2FA is MFA, because ‘multi’ just means more than one.
For the sake of this article, we’ll define MFA as using a flexible approach to authentication that relies on more than two factors.
Passwords
Before we delve deeper into the different authentication methods, it’s worth establishing the numerous problems with passwords.
Passwords are:
- Easy to guess or crack
- Reliant on users to choose wisely
- Frequently lost or shared
- Portable
- Difficult to remember and retain
Given these weaknesses, it’s not surprising that many organisations add a second or third factor. Interestingly, the World Wide Web Consortium is devoting resources to finding alternatives to passwords for website and web application users. It won’t be long before we can all forget our passwords, forever.
Passwords
Before we delve deeper into the different authentication methods, it’s worth establishing the numerous problems with passwords.
Passwords are:
- Easy to guess or crack
- Reliant on users to choose wisely
- Frequently lost or shared
- Portable
- Difficult to remember and retain
One-time password via SMS
A few recent data breaches and cyber crimes have relied on taking over victim’s phones, or using social engineering to convince people to hand over one-time passwords (OTP) that are sent by SMS.
Using SMS to send OTP was already recognised as a flawed approach, but these recent crimes have accelerated efforts to move away from SMS. The trouble for some organisations is that changing security approaches is rarely a straightforward procedure. It takes time to select an appropriate alternative and to shift hundreds, thousands or millions of users to a new setup. And while SMS is not perfect, it is still better than using just passwords for authentication.
Security token
After the recent spate of SMS hacks, attention has turned to alternative security factors.
Physical security keys have received a lot of attention, particularly after it was revealed that Google gave all their 85,000 employees USB security keys. A Google spokesperson revealed that the physical second-factor approach had improved security: “We have had no reported or confirmed account takeovers since implementing security keys at Google.”
While they are certainly secure, USB security keys are costly to roll out and maintain. And every time an employee loses their key, they will be locked out of their essential applications. Any organisation that turns to physical security tokens will require a dependable system for issuing replacements rapidly – or circumventing the system when users can’t access replacements (such as while travelling).
Biometric
The advantage of biometric factors is that we rarely lose our voice, iris or fingerprint. But that’s not to say that using biometric information to authenticate users is perfect. There are numerous examples of hackers spoofing user’s credentials with recordings, moulds and models.
Multi-factor authentication is the winner – for now
While no authentication method is perfect, it’s clear that using a variety of factors provides the best hope of deterring hackers. After all, most thieves want an easy target and a large pay-out. If you can reduce the potential gains available to hackers, while also creating a complex, layered security system, then you may encourage thieves to look for a softer target.
Recent Comments