Friday, October 19, 2012

Two Factor Authentication

According to Wikipedia, Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has") and an inherent factor ("something the user is").

As organizations of every type are more concerned with security of their networks, they are increasingly turning to enhancing the normal user name and password credentials with an additional strong authentication method.  Banking has used this concept for years with the ATM card – you must have the physical card and a PIN.  Laptop manufactures have been providing optional fingerprint readers for years as well.  The question is how can two factor authentication provide extra security to an organization while not requiring a large capital outlay.   Two options are becoming commonplace.

Password Resets
The concept of using challenge questions –what’s your mother maiden name, where you born, etc. - has been around for many years. Banking websites are the most common example of this concept. Forget your password and successfully answer the challenge questions to reset your password. With the advent of smart phones and text messaging, many companies have already added a second factor – a one-time use PIN code delivered via email or SMS must be provided in addition to the answers. Many vendors are producing products with identical functionality for the corporate network as well.  The first iterations of these solutions relied on the challenge questions exclusively to allow password resets. As social engineering concerns have come in to play, vendors have been quick to add 2FA to these solutions as well. The delivery of a PIN via text messaging to the user’s cell phone number on file insures the reset is being performed by the actual user.

Another benefit of these challenge questions is that they can be utilized by the helpdesk to positively identity a caller. When an employee phones the helpdesk requesting access to a new applications or being added to a share or distribution group, the helpdesk can access the questions and masked answers. For example, the answer to what color is your car could display as X_XX_ and the caller would be asked to provide the 2nd and 5th characters. If the correct characters are provided, it insures the caller’s identity.  By masking the answers, the helpdesk employees are never exposed to the condfintial answers.  A 2nd factor of authentication – delivering a PIN to an email or via SMS – can further enhance the security.  The number of questions /answer to be provided can be dictated by company policy.

SSO with Strong Authentication

Many technology leaders acknowledge the benefits associated with an SSO solution – productivity gains reducing the number of required credentials to from many to one and reducing calls to the helpdesk for forgotten password.  A common concern is that if the one set of credentials is hacked, access to all systems can be exposed. In this case, 2FA can eliminate this perceived risk. In this scenario, the end user present their ID page ("something the user has") to a reader attached to the machine, enters his or her credentials ("something the user has") and then as an extra layer of protection, enters a PIN code when accessing highly sensitive systems.  It is also feasible that the ID badge replaces the credentials and the PIN becomes the second factor.

Summary
Two Factor authentication has caught on rapidly in the Business to Consumer arena. Functionality such as self-password reset was originally implemented to reduce call volume and security of this functionality has been strengthened in response to identity theft and social engineering.  Use of secondary identification methods are now widely available to businesses interested in providing the same secure functionality to employees.


For more information, please visit our website to learn more on password resets with 2FA and strong authentication.

1 comment:

  1. I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your sites are not up for grabs. If you opt into 2FA, you will have to "Confirm your phone". You would receive a text message with a specific code to be entered into the system. If you don't want to do this every single time, you can designate your smartphone, PC, or tablet as a trusted device and they will allow you to telesign in without the text code. Should an attempt to login from an unrecognized device happen, it would not be allowed.

    ReplyDelete