Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Convenience and Security: The New Face of Two-Factor Authentication

Security may be part of an IT professional’s daily world, but these days consumers are just as concerned about protecting their privacy online. It’s no surprise that many businesses are trying to boost their brand image and differentiate themselves from their competitors by promising superior security.

Security may be part of an IT professional’s daily world, but these days consumers are just as concerned about protecting their privacy online. It’s no surprise that many businesses are trying to boost their brand image and differentiate themselves from their competitors by promising superior security. Yet there’s one security action that many of them could take and don’t: two-factor authentication.

We all know that online authentication issues can cost both businesses and consumers a high price through cyber attacks, online fraud and identity theft. Two-factor authentication has always been a strong solution in mitigating these attacks. By offering secure login, it protects company reputations and provides consumers with an added layer of security during online purchases, personal banking and other digital transactions.

Two Factor Authentication ChallengesSo why aren’t more organizations implementing it? In a word: inconvenience. Businesses are afraid of annoying their buyers by demanding multiple passwords or asking them to take an extra action that might spur them into abandoning the sale. In a landscape where catering to customer wishes is a common business mantra, risking customer irritation seems dangerous. After all, this is the digital age where consumers expect everything to go faster and smoother and easier online, whether they’re checking email, watching a video or doing their holiday shopping.

Of course, it’s also the age of digital crime. Two-factor authentication might seem user unfriendly at the outset, but ultimately it’s in the consumer’s best interest. Still many organizations, including those with sensitive information to protect, hesitate to use it. I ran into this recently during a security discussion with a financial institution. When one of its top executives and I discussed ways to protect their customers online, I asked if the company used two-factor authentication. The executive shook his head and told me the business didn’t want to inflict that “inconvenience” on their customers.

It’s a classic quandary that many organizations find themselves in: they want to offer their customers the utmost in digital security, but worry that if they make that security too complicated or inconvenient, they won’t have customers to protect. Caught between the Scylla of risk and the Charybdis of inconvenience, these organizations have mostly chosen to forgo two-factor authentication and accept the risk on behalf of their customers.

Luckily there are some new innovations that are solving this very issue, including a unified two-factor authentication protocol in the works, and technologies that manage to sidestep the inconvenience issue.

Next Gen Authentication

It’s worth noting that two-factor authentication is required by PCI DSS for secure remote connectivity. This is understandable, when you consider the rising number of website and retailer breaches where the hackers obtain buyer addresses, credit card numbers and other highly sensitive information. But two-factor authentication isn’t just for eCommerce and financial institutions. As the digital health movement surges in popularity, it can be an excellent safeguard for patient Web-based apps as well.

In fact, two-factor authentication looks more and more like a smart security measure for pretty much any process that requires user authentication. There may be plenty of password-cracking tools on the market, but in theory, even a successful crack won’t get a hacker into an account – not with the second form of authentication stopping him. This is why two-factor authentication continues to be an ongoing quest for many innovative companies out there.

Advertisement. Scroll to continue reading.

Take OAuth, a popular protocol that provides a reference architecture for universal strong authentication across all users and devices over all networks. There are also cloud-based tools that seamlessly integrate into existing application login workflows using a robust API that works with smartphones and multiple platforms.

Not all two-factor authentication tools are perfect, of course. SMS-based techniques such as texting to reset passwords are compromised on a regular basis, either through malware on the phone or other vectors. Ultimately hardware is the safest way to go, as seen in several clever two-factor solutions. For instance with some tools, users log in with their usernames and passwords, then activate their second factor by pressing a button on a USB device, which quickly enters a one-time password that is usually only good for a matter of seconds. Each previous password is invalidated, so that even if a hacker records it, it’s worthless for all future access. Some of the hardware is engineered to work with NFC-enabled smart phones, allowing mobile security without the risk of traditional SMS two-factor authentication.

From cumbersome to convenient

It should be obvious by now that the face of two-factor authentication has changed. The days of burdensome multiple login steps and passwords are over. New two-factor technologies offer speed and convenience to users; brands can assure customer safety during online payments and activities without requesting additional action. In short, it’s the kind of layered security demanded in these attack-prone times. Let’s hope organizations will look beyond the more primitive two-factor offerings of the past, and embrace new technologies that can provide customers with the protection they deserve. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.