Which factors are best to use in 2FA?
When designing a 2 Factor Authentication (2FA) or Multi Factor Authentication (MFA) system, the authentication strategy first and foremost should provide the best security benefits available. But, the developer should weigh security against the constraining elements of the costs of implementing and maintaining the system, users’ access convenience, and the functional fit of the organization’s needs. For example, creating a time factor is relatively inexpensive, as the developer can configure a system to have open and closed access times for users. But using the time factor may be inappropriate for an organization that operates 24/7. Therefore, the less desirable increased costs may be worth the access to convenience and functional fit improvements.
The most common factors used in 2FA are a combination of knowledge and biometric factors. These two factors are typically the least expensive to implement and provide a good security solution. However, using biometric factors does have drawbacks. Most biometric devices are some form of a physical scanner. Therefore, the user requiring access is required to access the scanner at a physical location. Thus, access adds an implicit additional location factor to the system. In some cases, this additional security (which is not independent of the biometric scanner) is a benefit, but in other situations, it is a nuisance. A system designed for remote access, for example, would be better served with a possession factor. Moreover, the most common scanners used for biometric access are for fingerprints. Unfortunately, people leave fingerprints everywhere, including on or near the scanners. Biometrics such as facial recognition can create access issues with users growing or shaving facial hair.
As a result of these and other issues, a combination of knowledge and possession factors are for 2FA are becoming more popular. Possession factors do not inherently add a location factor to the access requirements, which improves access convenience. For example, many financial institutions improve access security by creating single-use authentication codes. The system sends these codes to a user by phone or text, making the user’s telephone a possession factor. The additional benefit of this approach is that the cost of the actual possession factor (the phone) is borne by the user, rather than the organization, substantially reducing the cost of a 2FA system.
Trusted Device Authentication
One of the latest approaches to 2FA is the use of trusted device authentication. In this approach, a particular device, such as a smartphone, tablet, mobile PC or even a landline telephone, can become “trusted” after ensuring the device itself is properly secured. For example, a smartphone that requires a password or biometric scan to unlock. The user accesses the systems with their trusted device, using a procedure that is even simpler than the authentication code approach.
ETTE favors trusted device authentication using an application called Duo Security (Duo), For the user, Duo is an application that is loaded on to a smartphone. The application then reviews the security settings on the smartphone and verifies the smartphone has adequate security or requires adjustment. Duo cannot make changes to a smartphone’s settings, but it does monitor the phone’s settings and basic use to ensure the device remains trusted. Once the phone is adequately secured, it becomes trusted by Duo, and then operates as an easy to use authentication factor. In basic operation, there are no authorization codes to remember, just a single button push to confirm your identity, as indicated below:
For an organization implementing Duo, users without smartphones have alternative methods of access, such as pushing an authentication code to a trusted telephone number for a given user (cell phone and landlines) or a hardware token in the user’s possession.
The particular advantages of Duo are the low cost of both implementation and maintenance, and the ease of use for an organization’s users. Depending on your organization’s needs, ETTE can configure Duo to assist in trusted device tracking, endpoint protection, or combined with single sign-on technology to provide users with simple, but secure access. ETTE can help your organization implement Duo or other 2FA/MFA solutions at a price that is surprisingly affordable. Contact us for more information.
What is 2 Factor Authentication?
2 Factor authentication (2FA) refers to a more secure way to access a physical or virtual environment. Within the context of an IT environment, organizations use 2FA or Multi-factor authentication (MFA) as a more secure way for a user to access a system. As the name implies, 2FA depends on two different “authentication factors” or methods of proving the user seeking access is who they claim to be. Although there are more factors possible, most authentication factors fall into five broad categories:
- Knowledge factors are pieces of knowledge a user may have to obtain access, for example, a password, bank PIN code, or the correct answer to a challenge question when a user logs into a system.
- Possession factors are physical items a user may have in their possession to access a system or device, for example, a bank card, car key, cell phone or security token.
- Biometric factors, also called inherence factors, are something inherent to the specific user to grant access, the most common examples being fingerprints or voice prints. However, in high-security situations, advanced systems us keystroke patterns or gait recognition.
- Location factors can permit access only from specific devices, such as a desktop, or from a specific physical location, verified with GPS technology.
- Time factors allow users access to a system at only specific time periods, or through the use of an expiring code. For example, in online purchasing, a company can provide an expiring code to authenticate a discount.
In a proper 2FA system, the authentication factors should come from more than one category, and be independent from each other. For example, access to a system that requires both a password and the correct response to a challenge question is not a 2FA system. Although, such a system provides more security than a password-only access system. Similarly, a system that requires a password to access a physical container that holds a security token is not considered 2FA because the factors are not independent. The possession factor is dependent on the knowledge factor.