Security Experts:

Convenience and Security: The New Face of Two-Factor Authentication

Security may be part of an IT professional’s daily world, but these days consumers are just as concerned about protecting their privacy online. It’s no surprise that many businesses are trying to boost their brand image and differentiate themselves from their competitors by promising superior security. Yet there’s one security action that many of them could take and don’t: two-factor authentication.

We all know that online authentication issues can cost both businesses and consumers a high price through cyber attacks, online fraud and identity theft. Two-factor authentication has always been a strong solution in mitigating these attacks. By offering secure login, it protects company reputations and provides consumers with an added layer of security during online purchases, personal banking and other digital transactions.

Two Factor Authentication ChallengesSo why aren’t more organizations implementing it? In a word: inconvenience. Businesses are afraid of annoying their buyers by demanding multiple passwords or asking them to take an extra action that might spur them into abandoning the sale. In a landscape where catering to customer wishes is a common business mantra, risking customer irritation seems dangerous. After all, this is the digital age where consumers expect everything to go faster and smoother and easier online, whether they’re checking email, watching a video or doing their holiday shopping.

Of course, it’s also the age of digital crime. Two-factor authentication might seem user unfriendly at the outset, but ultimately it’s in the consumer’s best interest. Still many organizations, including those with sensitive information to protect, hesitate to use it. I ran into this recently during a security discussion with a financial institution. When one of its top executives and I discussed ways to protect their customers online, I asked if the company used two-factor authentication. The executive shook his head and told me the business didn’t want to inflict that “inconvenience” on their customers.

It’s a classic quandary that many organizations find themselves in: they want to offer their customers the utmost in digital security, but worry that if they make that security too complicated or inconvenient, they won’t have customers to protect. Caught between the Scylla of risk and the Charybdis of inconvenience, these organizations have mostly chosen to forgo two-factor authentication and accept the risk on behalf of their customers.

Luckily there are some new innovations that are solving this very issue, including a unified two-factor authentication protocol in the works, and technologies that manage to sidestep the inconvenience issue.

Next Gen Authentication

It’s worth noting that two-factor authentication is required by PCI DSS for secure remote connectivity. This is understandable, when you consider the rising number of website and retailer breaches where the hackers obtain buyer addresses, credit card numbers and other highly sensitive information. But two-factor authentication isn’t just for eCommerce and financial institutions. As the digital health movement surges in popularity, it can be an excellent safeguard for patient Web-based apps as well.

In fact, two-factor authentication looks more and more like a smart security measure for pretty much any process that requires user authentication. There may be plenty of password-cracking tools on the market, but in theory, even a successful crack won’t get a hacker into an account – not with the second form of authentication stopping him. This is why two-factor authentication continues to be an ongoing quest for many innovative companies out there.

Take OAuth, a popular protocol that provides a reference architecture for universal strong authentication across all users and devices over all networks. There are also cloud-based tools that seamlessly integrate into existing application login workflows using a robust API that works with smartphones and multiple platforms.

Not all two-factor authentication tools are perfect, of course. SMS-based techniques such as texting to reset passwords are compromised on a regular basis, either through malware on the phone or other vectors. Ultimately hardware is the safest way to go, as seen in several clever two-factor solutions. For instance with some tools, users log in with their usernames and passwords, then activate their second factor by pressing a button on a USB device, which quickly enters a one-time password that is usually only good for a matter of seconds. Each previous password is invalidated, so that even if a hacker records it, it’s worthless for all future access. Some of the hardware is engineered to work with NFC-enabled smart phones, allowing mobile security without the risk of traditional SMS two-factor authentication.

From cumbersome to convenient

It should be obvious by now that the face of two-factor authentication has changed. The days of burdensome multiple login steps and passwords are over. New two-factor technologies offer speed and convenience to users; brands can assure customer safety during online payments and activities without requesting additional action. In short, it’s the kind of layered security demanded in these attack-prone times. Let’s hope organizations will look beyond the more primitive two-factor offerings of the past, and embrace new technologies that can provide customers with the protection they deserve. 

view counter
Chris Hinkley is a Senior Security Engineer at Armor where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with Armor (previously FireHost) since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.