Two Factor Authentication

According to Wikipedia, Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has") and an inherent factor ("something the user is").

As organizations of every type are more concerned with security of their networks, they are increasingly turning to enhancing the normal user name and password credentials with an additional strong authentication method.  Banking has used this concept for years with the ATM card – you must have the physical card and a PIN.  Laptop manufactures have been providing optional fingerprint readers for years as well.  The question is how can two factor authentication provide extra security to an organization while not requiring a large capital outlay.   Two options are becoming commonplace.

Password Resets
The concept of using challenge questions –what’s your mother maiden name, where you born, etc. - has been around for many years. Banking websites are the most common example of this concept. Forget your password and successfully answer the challenge questions to reset your password. With the advent of smart phones and text messaging, many companies have already added a second factor – a one-time use PIN code delivered via email or SMS must be provided in addition to the answers. Many vendors are producing products with identical functionality for the corporate network as well.  The first iterations of these solutions relied on the challenge questions exclusively to allow password resets. As social engineering concerns have come in to play, vendors have been quick to add 2FA to these solutions as well. The delivery of a PIN via text messaging to the user’s cell phone number on file insures the reset is being performed by the actual user.

Another benefit of these challenge questions is that they can be utilized by the helpdesk to positively identity a caller. When an employee phones the helpdesk requesting access to a new applications or being added to a share or distribution group, the helpdesk can access the questions and masked answers. For example, the answer to what color is your car could display as X_XX_ and the caller would be asked to provide the 2nd and 5th characters. If the correct characters are provided, it insures the caller’s identity.  By masking the answers, the helpdesk employees are never exposed to the condfintial answers.  A 2nd factor of authentication – delivering a PIN to an email or via SMS – can further enhance the security.  The number of questions /answer to be provided can be dictated by company policy.

SSO with Strong Authentication
Many technology leaders acknowledge the benefits associated with an SSO solution – productivity gains reducing the number of required credentials to from many to one and reducing calls to the helpdesk for forgotten password.  A common concern is that if the one set of credentials is hacked, access to all systems can be exposed. In this case, 2FA can eliminate this perceived risk. In this scenario, the end user present their ID page ("something the user has") to a reader attached to the machine, enters his or her credentials ("something the user has") and then as an extra layer of protection, enters a PIN code when accessing highly sensitive systems.  It is also feasible that the ID badge replaces the credentials and the PIN becomes the second factor.

Summary
Two Factor authentication has caught on rapidly in the Business to Consumer arena. Functionality such as self-password reset was originally implemented to reduce call volume and security of this functionality has been strengthened in response to identity theft and social engineering.  Use of secondary identification methods are now widely available to businesses interested in providing the same secure functionality to employees.


For more information, please visit our website to learn more on password resets with 2FA and strong authentication.