Got 2FA?

If anyone hoped all those hackers trying to get their hands on private information last year found a new calling in 2019 they’d be utterly disappointed. From the massive 773 million records exposed on the "Collection #1" breach (and even more in Collections #2-5), to airlines, credit card companies, and government entities all reporting incidents, the new year shows no sign of slowing the upward trend of security breaches. In Forcepoint’s 2019 Cybersecurity Predictions Report we predict that industry-wide “security trust ratings” will develop to assure that partners and supply chains can be trusted with sensitive information. Maturing to a security model that incorporates different factors of authentication is one way organizations can provide an extra layer of security around PII to help prevent data breaches and increase their security rating.

At their core, every security model has at least two very straightforward goals: to allow authorized entities to access shared data or resources all while preventing unauthorized entities from accessing said resources. There are three types of factors that allow identity authentication:

• Knowledge - something the user knows (password, PIN, shared secret)
• Ownership - something the user has (memory card, soft or hard token, RFID chip)
• Inherence - something the user is or does (fingerprint, voice, retinal pattern)

Many online applications –either by design or by user’s choice – and almost half of US companies protect access to information using only username-password verification. This might be easy to implement, but by itself this is also one of the most vulnerable methods. There are guidelines that describe strong password policies and there are tools that will even generate random strong passwords on demand, but based on their nature passwords are easy to forget, share, and reuse. In addition, with various levels of ease and compute power, both usernames and passwords are guessable. Because of the weaknesses of this single method many services and applications have been adopting two-factor authentication for their users.

Some applications offer SMS messages as an ownership factor authentication. This has the advantage of being practical and convenient since most users already have a phone that can receive messages. However, these messages can be intercepted. Another solution is using time-based one-time codes that are generated by a key on an app. These are not interceptable because the codes generated are a combination of a device-stored secret key and the current time; however, keys can be reproduced or can become compromised. There is also the option of using a U2F (Universal 2^nd Factor) key. These hardware keys provide a secure authentication method because they can’t be intercepted, redirected, or reproduced, and must be registered with approved sites/apps in order to work. The catch is that, despite their name, they are not yet universally supported and come at an added cost to users.

When it comes to adding security with inherence factors, fingerprints are the most common example. Other biometrical sensors like face recognition software and eye (retina/iris) scanners have also been making their way into commercial devices and mainstream scenarios. Inherence factors offer several benefits: they are naturally unique, can’t be forgotten or lost, and are harder to steal. Yet, as with any other factor, they are not perfect. Fingerprints can be faked, eye scanners can be tricked, and face recognition is still racially and gender biased. What’s more, biometrics are not replaceable; passwords can be changed, physical tokens can be swapped, but once a fingerprint or an iris scan has been compromised it will be forever compromised.

Private information is too valuable to be left protected by a single weak authentication method. While passwords are not the only method that is vulnerable, and in fact no single solution is failproof, adding a second (or multiple!) factor for authentication increases the security around sensitive data and critical resources by adding protection layers to the security model and having individual factors compensate for the vulnerabilities of the others. Cybercriminals are not going to stop trying to get to data; make sure you are making it harder for them to breach your privacy.