Not all two-factor authentication methods are the same
March 4, 2014

To deal with the rising tide of cyberbreaches, password theft and other acts of online fraud, many organizations are instituting more stringent authentication methods to keep unwanted parties out of user accounts. The days of a single password protecting someone on the Internet are passing by, leading many groups to implement two-factor authentication. These methods typically rely on a password and another identifier to verify someone's identity. This is intended to thwart hackers, and the measure does provide more protection by supplementing the string of numbers and letters that otherwise keep out uninvited guest. 

However, some forms of two-factor authentication still have their risks, as Government Technology recently highlighted. In some cases, it amounts to nothing more than a security question, or for networks like Facebook, potentially identifying someone from a photo. However, these additional steps can readily be investigated and answered by someone intent on breaking into an account. Someone browsing the would-be victim's friend list might see who the person is from the photo, while the solutions to security questions might be discovered by searching the Internet. Discovering a school mascot or the maiden name of a user's mother aren't particularly difficult. 

By contrast, organizations that send a text message with a code to an account holder's cell phone are less vulnerable to online research. Without access to the phone, hackers will have some difficulty breaking in. Notably, this method still has its vulnerabilities. Man-in-the-middle attacks that copy a website can capture the verification codes entered into them just as readily as passwords. Meanwhile, a stolen phone can potentially let the thief illegitimately gain entry to someone's information, though a password could prevent this. In these cases, though, a more concerted effort is necessary to overcome the safeguards against fraud. 

"Two-factor authentication is nothing new, but using a device such as your cellphone via SMS or an automated call is getting more traction," said Timothy Maliyil, CEO of AlertBoot, to Government Technology. "The belief is that a thief is unlikely to have both your password and your cellphone, so sending a one-time authentication passcode to your mobile phone via voice or SMS text message creates that second factor of authentication."

A step in the right direction
Two-factor authentication that includes smartphones during the verification process may be the way to go, though. Part of the advantage of passwords is that they can be used anywhere, whereas forms of identity recognition that rely on additional devices, cards or other items need the object to be available at all times, and may not be usable online. Meanwhile, smartphones are practically always with their owners, which avoids the issue of carrying additional credentials. 

Keeping an easy-to-use recognition process is still important, even for two-factor authentication. Government Technology cited Theodore Claypoole, a senior partner at Womble Carlyle, who explained part of the problems facing protective measures like biometrics. He noted that consumers are opposed to "hassles and headaches," and biometric security's chance of creating a false negative could lead to customer complaints in the waiting line at a store. The concept applies across all safeguards, which must be reliable if they are to be convenient. 

Passwords alone may be slowly fading from use. But as organizations turn to two-factor authentication to reduce fraud, they should recognize that some methods are superior to others. Information-based credentials are unreliable, but accounts that use smartphones to help login are much harder to fool or break into.