Two Factor Authentication Is Where The Future Lies
It has been an eventful few days for identity, authentication and Two Factor Authentication, if you can call it that.
David Benioff, showrunner of the wildly famous television series Game of Thrones is said to have asked cast members to setup Two Factor Authentication (2FA) on their email accounts. That’s because they are not getting paper scripts in their hands anymore, they are getting them on their email to prevent accidental leaks or even theft. And 2FA will make sure scripts stay secure in their mailboxes.
That’s a pretty smart thing to do considering the kind of hysteria that surrounds the show. If you’re not a very big Game of Thrones fan, the takeaway for you from this story would be the 2FA part. David Benioff would contend that once a cast member is emailed the script, his or her mailbox would, by virtue of the presence of the script material, become a high value account. A lot of people would agree with that. But an important question here is: how does one conclude if an account is a high value account? Not just with mailboxes but any type of accounts, for instance, an account on a ticket booking website. Making that decision is a pretty subjective thing. Only some accounts on face value may seem like high value ones like online banking accounts but there is a lot that can be unscrupulously exploited even out of seemingly low value accounts. Think about the recent Google Docs phishing attack which tricked a lot of gullible users. Sure enough, it was a big deal and even Google is reportedly changing things around risk assessment and things like that.
Simple Passwords Not Secure Enough
The point we are trying to hammer through is that the password, even complex one, isn’t enough anymore. Romantics might love the password considering how well and long it has served as a security mechanism. But attackers are quite easily and successfully figuring out how to beat the old guard and which is why we are seeing an alarming increase in the number and scale of attacks. Very recently, a hacker group was reportedly claiming having access to more than 250 million Apple iCloud accounts. At the time of writing this, a large scale ransomware attack dubbed ‘WannaCry’ had infected systems across 150 countries. Of course, this latest attack is just exploiting older versions of Windows but who’s to say a similarly bold attack can’t be mounted on web accounts. It has happened before and will happen again. If an attacker steals your username and password, he could hold you to ransom.
The password alone as a security mechanism is not strong anymore as more cyber attacks are imminent. The case of the password is a curious one in a world where technology is upgraded at regular intervals. The password has stood the test of time and now it resembles those older players past their prime who have been outsmarted by younger ones. The only issue here is that the younger players more represent cyber attackers than a replacement mechanism for the password. In fact, getting past passwords doesn’t require advanced skills or technology. The FBI says, “Cyber criminals—sometimes using the least sophisticated means necessary (i.e., password guessing, defeating security questions, social engineering, and technical devices such as keyloggers)—obtain passwords more often than you think.”
And yet, passwords alone continue to be used as the most common authentication method.
Two Factor Authentication is No More an Additional Security Layer
Considering the glaring chinks in the password’s armour, Two Factor Authentication has turned out be an extremely potent layer of additional security. To be honest, the previous line is quite old. By this time, we should be saying 2FA is in prevalent use as a security measure against cyber attacks. But no. We are repeating the same line about 2FA because adoption is still quite low. According to a joint University of Maryland and Johns Hopkins University study, only 25% of the survey subjects used 2FA across all devices and services while 45% use 2FA on some services or devices. Among them, 62% did so because it was mandatory to do so. Only about 28% of those who partially used Two Factor Authentication said they did so because the services they were using were important to them and wanted to better secure them.
But still that’s a small number of people using 2FA because they should. Unfortunately, sometimes technology adoption is painfully slower than its actual development. In a way that’s the case with Two Factor Authentication.
The world is really crowded today. The Web is expanding faster than the universe and people are having to maintain tens of different accounts on different websites and mobile apps in addition to their usual work and personal email, social accounts, bank accounts, utilities accounts and so on. They don’t voluntarily ask for Two Factor Authentication or use it unless mandated to because they don’t have the time to think about security and the implications of a lack of it. They just want to login as fast as possible without having to labour through, get the job done and logout. They don’t think about the repercussions of their personal information being leaked or how it could happen from a particular service or website. It’s not that they care, it’s just that they can’t be expected to be unlike that because they are dealing with so many entities on the Web. It’s up to the service provider to think about security and usability. A lot of businesses think adding 2FA to the authentication process would make it longer and rougher but that’s not an impediment.
Not having 2FA is not the solution. The solution is using it in the best way possible because 2FA is not a security feature to have anymore. In a world where cyber attacks are becoming bolder, larger in scale and more frequent, 2FA is the security feature that businesses should ensure their customer use.
The Case for 2FA as a Single Authentication Mechanism
Would David Benioff agree with an email service using the Two Factor Authentication mechanism minus the password. Well, we can’t say for sure but it does seem like a logical proposition, doesn’t it? Something like a passwordless authentication mechanism. It’s not something entirely new. Microsoft is doing it with a temporary passcode. Once you enter the username, Microsoft sends a notification to the linked mobile device asking for authentication approval. A positive response logs the user in. An alternative approach (as we have done) could be to just send a temporary link to the email or an OTP to the linked mobile device. No passwords required.
Let’s consider the merits of a passwordless login scenario.
- Customers don’t have to set or remember complex passwords.
- The UX is fast and convenient with minimal typing and memory effort required.
- Accounts can’t be broken into using the usual techniques detailed by the FBI.
- No drop in security levels.
Customer facing technology must balance usability with security. Passwordless technology does exactly the same by not compromising on security while vastly improving the usability for end users. Even Google has plans to bring passwordless authentication to mobile apps. Of course, Google wants to use trust and behavioral patterns of users to log them in but the thinking is to get rid of the passwords once and for all. And the fact that both Microsoft and Google are devoting resources in this direction shows where the future lies. We just have to go and embrace it. Game of Thrones premieres this July, by the way.